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Abstract. Taha and Nielsen have developed a multi-stage calculus \ a with a sound type 
system using the notion of environment classifiers. They are special identifiers, with which 
code fragments and variable declarations are annotated, and their scoping mechanism is 
used to ensure statically that certain code fragments are closed and safely runnable. 

In this paper, we investigate the Curry-Howard isomorphism for environment classi- 
fiers by developing a typed A-calculus A". It corresponds to multi-modal logic that allows 
quantification by transition variables — a counterpart of classifiers — which range over (pos- 
sibly empty) sequences of labeled transitions between possible worlds. This interpretation 
will reduce the "run" construct — which has a special typing rule in A" — and embedding 
of closed code into other code fragments of different stages — which would be only real- 
ized by the cross-stage persistence operator in A" — to merely a special case of classifier 
application. X" enjoys not only basic properties including subject reduction, confluence, 
and strong normalization but also an important property as a multi-stage calculus: time- 
ordered normalization of full reduction. 

Then, we develop a big-step evaluation semantics for an ML-like language based on X" 
with its type system and prove that the evaluation of a well-typed A 1 * program is properly 
staged. We also identify a fragment of the language, where erasure evaluation is possible. 

Finally, we show that the proof system augmented with a classical axiom is sound and 
complete with respect to a Kripke semantics of the logic. 



A number of programming languages and systems that support manipulation of pro- 
grams as data [TJ [5J O El E] have been developed in the last two decades. A popular language 
abstraction in these languages consists of the Lisp-like quasiquotation mechanism to cre- 
ate and compose code fragments and a function to run them like eval in Lisp. For those 
languages and systems, a number of type systems for so-called "multi-stage" calculi have 
been studied [HI El El El [10J HI] to guarantee safety of generated programs even before the 
generating program runs. 

1998 ACM Subject Classification: D.3.3, F.3.3, F.4.1. 

Key words and phrases: Curry-Howard correspondence, Environment classifiers, Modal logic, Multi-stage 
calculus. 
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Among them, some seminal work on the principled design of type systems for multi- 
stage calculi is due to Davies [7J and Davies and Pfenning |12ll8]. They discovered the Curry- 
Howard isomorphism between modal/temporal logics and multi-stage calculi by identifying 
(1) modal operators in modal logic with type constructors for code fragments treated as 
data and, in the case of temporal logic, (2) the notion of time with computation stages. 
For example, the calculus AO [7J, which can be thought as a reformulation of Gluck and 
J0rgensen's calculus for multi-level generating extensions [6J by using explicit quasiquote 
and unquote in the language, corresponds to a fragment of linear-time temporal logic (LTL) 
with the temporal operator "next" (written O) [Ej- Here, linearly ordered time corresponds 
to the level of nesting of quasiquotations, and a modal formula Q)A to the type of code of 
type A. It, however, does not treat eval; in fact, the code type in AO represents code 
values, whose bodies are open, that is, may have free variables, so simply adding eval to 
the calculus does not work — execution may fail by referencing free variables in the code. 
The calculus developed by Davies and Pfenning [12|, [8], on the other hand, corresponds to 
(intuitionistic) modal logic S4 (only with the necessity operator □), in which a formula QA 
is considered the type of closed code values of type A. It supports safe eval since every code 
is closed, but inability to deal with open code hampers generation of efficient code. The 
following work by Taha and others [5j [Til [T5l |£l [16] sought various forms of combinations 
of the two systems above to develop expressive type systems for multi-stage calculi. 

Finally, Taha and Nielsen [9] developed a multi-stage calculus A a , which was later mod- 
ified to make type inference possible [16] and implemented as a basis of MetaOCaml. The 
calculus A Q has a strong type system while supporting open code, run, (which corresponds 
to eval), and a mechanism called cross-stage persistence (CSP), which allows a value to be 
embedded in a code fragment evaluated later. They introduced the notion of environment 
classifiers (or, simply, classifiers), which are special identifiers with which code fragments 
and variable declarations are annotated, to the type system. A key idea is to reduce the 
closedness checking of a code fragment (which is useful to guarantee the safety of run) 
to the freshness checking of a classifier. Unfortunately, however, correspondence to a logic 
is not clear for X a any longer, resulting in somewhat ad-hoc typing rules and complicated 
operational semantics, which would be difficult to adapt to different settings. 

In this paper, we investigate a Curry-Howard isomorphism for environment classifiers 
by developing a typed A-calculus X*. As a computational calculus, X > is equipped with 
quasiquotation (annotated with environment classifiers) and abstraction over environment 
classifiers just like X a , with application of a classifier abstraction to a possibly empty sequence 
of environment classifiers, which makes A > different from X a . Intuitively, (the type system 
of) X t> can be considered a proof system of a multi-modal logic to reason about deterministic 
labeled transition systems. Here, modal operators are indexed with transition labels, and 
so the logic is multi-modal. One notable feature of the logic is that it has quantification 
that allows one to express "for any state transitions," where a state transition is a possibly 
empty sequence of labels. This quantifier corresponds to types for classifier abstractions, 
used to ensure freshness of classifiers, which correspond to transition labels (and variables 
ranging over their sequences). 

A pleasant effect of this logical interpretation — in particular, interpreting environment 
classifiers as variables ranging over sequences of transition labels — is that it will reduce the 
run construct — which has a peculiar typing rule in A a — and embedding of closed code into 
other code fragments of different stages — which would be only realized by the CSP operator 
in A a — to merely a special case of classifier application. 
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Our technical contributions can be summarized as follows: 

• Identification of a modal logic that corresponds to (a computational calculus with) envi- 
ronment classifiers; 

• Development of a new typed A-calculus A > , naturally emerged from the correspondence, 
with its syntax, operational (small-step reduction and big-step evaluation) semantics, and 
type system; 

• Proofs of basic properties, which a multi-stage calculus is expected to enjoy; and 

• Proofs of soundness and completeness of the proof system (augmented with a classical 
axiom) with respect to a Kripke semantics of the logic. 

Our calculus A 1 * not only enjoys the basic properties such as subject reduction, confluence, 
and strong normalization but also time-ordered normalization [JJ [10], which says (full) 
reduction to a normal form can always be performed according to the order of stages. We 
extend A^ with base types and recursion, define a big-step evaluation semantics as a basis 
of a multi-stage programming language such as MetaOCaml, and prove the evaluation of a 
well-typed program is safe and staged, i.e., if a program of a code type evaluates to a result, 
it is a code value whose body is a well-typed program, again. We also develop erasure 
semantics, where information on classifiers is (mostly) discarded, and identify a subset of 
the language, where the original and erasure semantics agree, by an alternative type system. 
It turns out that the subset is rather similar to A* [16], whose type system is used in the 
current implementation of MetaOCaml. 

One missing feature in A^ is CSP for all types of values but we do not think it is a 
big problem. First, CSP for primitive types such as integers is easy to add as a primitive; 
CSP for function types is also possible as long as they do not deal with open code, which, 
we believe, is usually the case. Second, as mentioned above, embedding closed code into 
code fragments of later stages is supported by a different means. It does not seem very 
easy to add CSP for open code to A^, but we think it is rarely needed. For more detail, see 
Section 16.31 

We can obtain a natural deduction proof system of a new logic that corresponds to the 
calculus \^ just by removing terms from typing rules, as usual. It is also easy to see that 
terms and reduction in the calculus correspond to proofs and proof normalization in the 
logic, respectively. 

Of course, we should answer an important question: "What does this logic really mean?" 
We will elaborate the intuitive meaning of formulae in Section [2] and proof rules can be 
understood according to this informal interpretation but, to answer this question more pre- 
cisely, one has to give a semantics and prove the proof system is sound and complete with 
respect to the semantics. However, the logic is intuitionistic and it is not straightforward 
to give (Kripke) semantics [TTJ. So, instead of Kripke semantics of the logic directly corre- 
sponding to A^, we give that of a classical version of the proof system, which has a proof 
rule for double negation elimination and prove that the proof system is sound and complete 
with it in Section [5j Even though the semantics does not really correspond to A^, it justifies 
our informal interpretation. 

Organization of the Paper. In Section [21 we review A Q and informally describe how 
the features of its type system correspond to those of a logic. In Section [3l we define the 
multi-stage calculus A & and prove basic properties including subject reduction, strong nor- 
malization, confluence, and time-ordered normalization. In Section [4l we define MiniML l> , 
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an extension of A^ with base types and recursion, with its big-step semantics and prove that 
the big-step semantics implements staged execution. We also investigate erasure semantics 
of a subset of MiniML^ here. In Section [5j we formally define (a classical version of) the 
logic and prove soundness and completeness of the proof system (augmented with a classical 
rule) with respect to a Kripke semantics. Lastly, we discuss related work and conclude. 

2. Interpreting Environment Classifiers in a Modal Logic 

In this section, we informally describe how environment classifiers can be interpreted 
in a modal logic. We start with reviewing Davies' A^ [7] to get an intuition of how notions 
in a modal logic correspond to those in a multi-stage calculus. Then, along with reviewing 
main ideas of environment classifiers, we describe our logic informally and how our calculus 
is different from X a by Taha and Nielsen [9]. 

2.1. AO; Multi-Stage Calculus Based on LTL. Davies has developed the typed multi- 
stage calculus AO, which corresponds to a fragment of intuitionistic LTL by the Curry- 
Howard isomorphism. It can be considered the A-calculus with a Lisp-like quasiquotation 
mechanism. We first review linear-time temporal logic and the correspondence between the 
logic and the calculus. 

In LTL, the truth of propositions may depend on discrete and linearly ordered time, i.e., 
a given time has a unique time that follows it. Some of the standard temporal operators 
are O (t° mean "next"), □ (to mean "always"), and U (to mean "until"). The Kripke 
semantics of (classical) LTL can be given by taking the set of natural numbers as possible 
worlds^ then, for example, the semantics of O is given by: n lh O r if an d only if n + 1 lh r, 
where n lh r is the satisfaction relation, which means "r is true in world — or, at time — n." 

In addition to the usual Curry-Howard correspondence between propositions and types 
and between proofs and terms, Davies has pointed out additional correspondences between 
time and computation stages (i.e., levels of nested quotations) and between the temporal 
operator O an d the type constructor meaning "the type of code of". So, for example, 
O r i ~~ ^ O r 2> which means "if t\ holds at next time, then T2 holds at next time," is considered 
the type of functions that take a piece of code of type t\ and return another piece of code of 
type T2- According to this intuition, he has developed AO, corresponding to the fragment 
of LTL only with O- 

AO has two new term constructors next M and prev M, which correspond to the 
introduction and elimination rules of Q, respectively. The type judgment of AO is of the 
form r h n M : r, where T is a context, M is a term, r is a type (a proposition of LTL, 
only with O) an d n is a natural number indicating a stage. A context, which corresponds 
to assumptions, is a mapping from variables to pairs of a type and a natural number, since 
the truth of a proposition depends on time. The key typing rules are those for next and 
prev: 



Note that this is equivalent to another, perhaps more standard presentation as a sublogic of CTL* [13] . 



r h n+1 M : t 



rh" M :Qt 



r h n next M : Qt 



r h n+i prev M : r ' 
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The former means that, if M is of type r at stage n + 1, then, at stage n, next M is code 
of type r; the latter is its converse. Computationally, next and prev can be considered 
quasiquote and unquote, respectively. So, in addition to the standard /3-reduction, AO has 
the reduction rule prev (next M) — > M, which cancels next by prev. 

The code types in AO are often called open code types, since the quoted code may 
contain free variables, so naively adding the construct to "run" quoted code does not work, 
since it may cause unbound variable errors. 

Although the logic is considered intuitionistic, Davies has only shown that the proof 
system augmented with double negation elimination is equivalent to a standard axiomatic 
formulation |13j . which is known to be sound and complete with the Kripke semantics de- 
scribed above. Kojima and Igarashi [181119] have studied the semantics of intuitionistic LTL 
and shown that the proof system obtained from AO is sound and complete with the given 
semantics. Even though the Kripke semantics discussed here does not really correspond to 
the logic obtained from the calculus, it certainly helps understand intuition behind the logic 
and we will continue to use Kripke semantics in what follows for an explanatory purpose. 

2.2. Multi-Modal Logic for Environment Classifiers. Taha and Nielsen [9] have in- 
troduced environment classifiers to develop A a , which has quasiquotation, run, and CSP 
with a strong type system. We explain how X a can be derived from AO0 Environment 
classifiers are a special kind of identifiers with which code types and quoting are annotated: 
for each classifier a, there are a type constructor (r) a for code and a term constructor 
(M) a to quote M. Then, a stage is naturally expressed by a sequence of classifiers, and a 
type judgment is of the form T \- A M : r, where natural numbers in a X^ type judgment 
are replaced with sequences A of classifiers. So, the typing rules of quoting and unquoting 
(written ~M) in X a are given as follows: 

Th Aa M :t r H 4 M : {r) a 

T h A (M) a : (t) q T h Aa ~M : t ' 

Obviously, this is a generalization of A^: if only one classifier is allowed, then the calculus 
is essentially \®. 

The corresponding logic would also be a generalization of LTL, in which there are 
several "dimensions" of linearly ordered time. A Kripke frame for the logic is given by a 
transition system in which each transition relation is a map. More formally, a frame is a 
triple (S, L, a € L}) where S is the (non-empty) set of states, L is the set of labels, 

and € S — > S for each a G L. Then, the semantics of (r) a is given by: s lh (r) a if and 
only if s' lh r for any s' such that s s', where s and s' are states. 

The calculus X a has also a scoping mechanism for classifiers and it plays a central role 
to guarantee safety of run. The term (a)M, which binds a in M, declares that a is used 
locally in M and such a local classifier can be instantiated with another classifier by term 
M[/3]. We show typing rules for them with one for run below: 

r \- A M : r a <£ FV(r, A) T H 4 M : (a)r V \- A M : (a)(r) a 

r h A (a)M : (a)r r h A M[(3] : r[a := J] F H 4 run M : (a)r' 

o 

Unlike the original presentation, classifiers do not appear explicitly in contexts here. The typing rules 
shown are accordingly adapted. 
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The rule for (a)M requires that a does not occur in the context — the term M has no free 
varia biH labeled a — and gives a type of the form (ck)t, which Taha and Nielsen called 
a-closed type, which characterizes a relaxed notion of closedness. For example, the term 
(Ax : b.x) a is a closed term, so this term is a-closed and the judgment h e (a) (Ax : b.x) a : 
(ct)(b — > b) a is valid. The term (x) a , however, is not a-closed because this term has free 
variable x in the stage a, but /3-closed (if f3 ^ a) because there is no free variable in the 
stage containing the classifier /3. The rule for run M says that an a-closed code fragment 
annotated with a can be run. Note that (-) a (but not (a)-) is removed in the type of 
run M. Taha and Nielsen have shown that a-closedness is sufficient to guarantee safety of 
run. 

When this system is to be interpreted as logic, it is fairly clear that (a)r is a kind of 
universal quantifier, as Taha and Nielsen have also pointed out [9]. Then, the question is 
"What does a classifier range over?", which has not really been answered so far. Another 
interesting question is "How can the typing rule for run be read logically?" 

One plausible answer to the first question is that "classifiers range over the set of 
transition labels". This interpretation matches the rule for M[/3] and it seems that the 
typing rules without run (with a classical axiom) are sound and complete with the Kripke 
semantics that defines s lh (a)r by s lh r[a := f3] for all (3 G L. However, it is then difficult 
to explain the rule for run. 

The key idea to solve this problem is to have classifiers range over the set of finite (and 
possibly empty) sequences of transition labels and to allow a classifier abstraction (a)M to 
be applied to also sequences of classifiers. Then, run will be unified to a special case of 
application of a classifier abstraction to the empty sequence. More concretely, we change 
the term M[(3\ to M[5], where B is a possibly empty sequence of classifiers (the left rule 
below). When B is empty and r is (to)" (assuming tq do not include a), the rule (as shown 
as the right rule below) can be thought as the typing rule of (another version of) run, since 
a-closed code of to becomes simply tq (without (a)- as in the original X a ). 

Th A M:(a)T T h A M : (a) (r ) a 

r h A M[B] : r[a := B] T h A M[e] : t 

Another benefit of this change is that CSP for closed code (or embedding of persistent 
code |10j ) can be easily expressed. For example, if x is of the type (a)(int) a , then it can be 
used as code computing an integer at different stages as in, say, (• • • (~x[a]) + 3 ■ ■ ■ (• • • 4 + 
(~~ x[a{3]) ■ ■ ■ )* ■ ■ ■ } a . So, once a programmer obtains closed code, she can use it at any 
later stage. While our calculus A^ does not have a primitive of CSP for all types, we can 
express CSP in many cases. In Section \6.3\ we discuss this subject in more detail. 

Correspondingly, the semantics is now given by v,p;s lh r where v is a valuation for 
propositional variables and p is a mapping from classifiers to sequences of transition labels. 
Then, v,p;s lh (r) a is defined by v,p;s' lh r where s' is reachable from s through the 
sequence p(a) of transitions and v,p;s lh (a)r by: v, p[A/a]; s lh r for any sequence A of 
labels (p[A/a] updates the value of a to be A). In Section [5j we give a formal definition 
of the Kripke semantics and show that the proof system, based in the ideas above, with 
double negation elimination is sound and complete with respect to it. 



It is important to distinguish labels of free variables from free occurrences of classifiers. For example, 
the term (\x : b.x) a has free occurrence of the classifier a, but no free variable labeled by a because there 
is no free variable at all. 
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3. The Calculus A^ 

In this section, we define the calculus A 1 *, based on the ideas described in the previous 
section: we first define its syntax, type system, and small-step full reduction semantics 
and states some basic properties; then we prove the time-ordered normalization property. 
Finally, we give an example of programming in A > . We intentionally make notations for 
type and term constructors different from X a because their precise meanings are different; 
it is also to avoid confusion when we compare the two calculi. 

3.1. Syntax. Let S be a countably infinite set of transition variables, ranged over by a 
and p. A transition, denoted by A and B, is a finite sequence of transition variables; we 
write e for the empty sequence and AB for the concatenation of the two transitions. We 
write X* for the set of transitions. A transition is often called a stage. We write FTV(j4) 
for the set of transition variables in A, defined by FTV(ai«2 • • • ot n ) = {ati | 1 < i < n}. 

Let PV be the set of base types (corresponding to propositional variables), ranged over 
by b. The set <5 of types, ranged over by r and a, is defined by the following grammar: 

Types t ::= b | r — > r \ > a T I Ma.r . 

A type is a base type, a function type, a code type, which corresponds to (•)" of X a , or 
an a-closed type, which corresponds to (a)r. The transition variable a of Va.r is bound 
in r. In what follows, we assume tacit renaming of bound variables in types. The type 
constructor \> a connects tighter than — >• and — >• tighter than V: for example, > a r — > a means 
(> a r) — > a and Ma.r — > a means Ma.(r — >• a). We write FTV(r) for the set of free transition 
variables, which is defined in a straightforward manner. 

Let T be a countably infinite set of variables, ranged over by x and y. The set of terms, 
ranged over by M and N, is defined by the following grammar: 

Terms M ::= x \ MM \ Xx : r.M | | < a M \ Aa.M \ MA . 

In addition to the standard A-terms, there are four more terms, which correspond to (M) a , 
~M, (a)M, and M[f3] of X a (respectively, in the order presented). Note that, unlike ~M 
in X a , the term < a M for unquote is also annotated. This annotation is needed because 
a single transition variable can be instantiated with a sequence, in which case a single 
unquote has to be duplicated accordingly. The variable x in Xx : r.M and the transition 
variable a in Aa.M are bound in M. Bound variables are tacitly renamed to avoid variable 
capture in substitution. We write FTV(M) for the set of free transition variables, which is 
defined in a straightforward manner, e.g., FTV(^ Q M) = FTY(< a M) = FTV(M) U {a}, 
FTV(Aa.M) = FTV(M) - {a} and FTV(M A) = FTV(M) U FTV(A). 

3.2. Type System. As mentioned above, a type judgment and variable declarations in a 
context are annotated with stages. A context T is a finite set {xi : ti@^4i, . . . , x n : r n @A n }, 
where X{ are distinct variables. We often omit braces {}. We write FTV(r) for the set of 
free transition variables in T, defined by: FTV({xj : Ti@Ai \ 1 < i < n}) = Ur=i(FTV( r *) U 
FTV(A))- 

A type judgment is of the form V \- A M : r, read "term M is given type r under context 
T at stage A." Figure Q] presents the typing rules to derive type judgments. The notation 
t[q := B], used in the rule (Ins), is capture-avoiding substitution of transition B for a in 
r. When a in > a is replaced by a transition, we identify \> £ t with r and \>abt with o^o^t. 
For example, (> a \/a. > a b)[a := e] = Ma. > a b and (Va. \>p b)[/3 := aa] = Ma' . > a > a b. 
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^_ ( . r \~ Aa M : r 

r,x:r@Ah A x:r 1 j r h A M : > a T 

r, x : t@A \- A M : a , . . V \- A M : > a T 

( ABS ) rU a . TT7Z (<) 



r h A Ax : t.M :t -> a v ' Th Aa < a M :t 

Th A M:r^a T h A N : r r h" 4 M : r a j FTV(r) U FTV(A) 

fP^MiVT^ (APP) r h A Aa.M : Va.r (GEN) 

rh^M: Va.r , T . 
A ^ 5 . ._ D1 ( lNS ) 



r \- A M B : r\a := B] 
Figure 1: Typing rules. 

The first three rules on the left are mostly standard except for stage annotations. 
The conditions on stage annotations are similar to those in most multi-stage calculi: The 
rule (Var) means that variables can appear only at the stage in which those variables 
are declared, and the rule (Abs) requires the stage of the parameter to be the same as 
that of the body and, correpondingly, the rule (App) requires M and N are typed at the 
same stage. The next two rules (►) and (<) are for quoting and unquoting and already 
explained in the previous section. The last two rules (Gen) and (Ins) are for generalization 
and instantiation of a transition variable, respectively. They resemble the introduction and 
elimination rules of \/x.A{x) in first-order predicate logic: the side condition of the rule 
(Gen) ensures that the choice of a is independent of the context. Computationally, this 
side condition expresses a-closedness of M, that means M has no free variable which has 
annotation a in its type or its stage. This is a weaker form of closedness, which means M 
has no free variable at all. 

3.3. Reduction. We will introduce full reduction M — > N, read "M reduces to N in 
one step," and prove basic properties including subject reduction, confluence and strong 
normalization. 

Before giving the definition of reduction, we define substitution. Since the calculus 
has binders for term variables and transition variables, we need two kinds of substitutions 
for both kinds of variables. Substitution M[x := N] for a term variable is the standard 
capture-avoiding one, and its definition is omitted here. Substitution M[a := A] of A for a 
is defined similarly to r[a := A]. We show representative cases below: 

(Xx : T.M)[a := A] = Xx : (r[a := A]).(M[a := A]) 

(M B)[a := A] = (M[a := A]) (B[a := A]) 

(►/3 M)[a := A] = ► j9[a:=A] (M[a := A]) 

(< p M)[a:=A] = < p[a ., =A] {M[a := A]), 

where ► ai ... an M is an abbreviation for • • • ► Qn M, and < ai ...a n M for < an ■ ■ ■ < ai M. 

In particular, (► a M)[a := e] = (< a M)[a := e] = M[a := e]. Note that, when a transi- 
tion variable in is replaced, the order of transition variables is reversed, because this 
is the inverse operation of ►. This is similar to the inversion operation in group theory: 
(oio 2 . . . an)' 1 = a~ 1 a^_ 1 . . . af . 
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The reduction relation M — > N is the least relation closed under the following three 
computation rules 

(Ax : t.M) N — ► M[x := N] M) — > M (Aa.M) A — > M[a := A] 

and congruence rules, which are omitted here. In addition to the standard /3-reduction, 
there are two rules: the second one, which is already explained previously, cancels quote by 
unquote and the last one, instantiation of a transition variable, is similar to polymorphic 
function application in System F. Note that the reduction is full — reduction occurs under 
any context in any stage. This reduction relation can be thought as (non-deterministic) 

proof normalization, which should preserve types, be confluent and strongly normalizing. 

T 

Then, we will define another reduction relation as a triple M — > N, with T standing for 
the stage of reduction in Section 13.51 as done in A^ [7] and AO n [TO] , to prove time-ordered 
normalization. 

3.4. Basic Properties. We will prove three basic properties, namely, subject reduction, 
strong normalization and confluence. 

The key lemma is, as usual, Substitution Lemma, which says substitution preserves 
typing. We will prove such a property for each kind of substitution. We define substitution 
T[a := A] for contexts as follows: 

{xi : Ti@Ai}[a := A] = { Xi : n[a := A]@Ai[a := A]} 
Lemma 3.1 (Substitution Lemma). 

(1) // T, x : a@B H 4 M : r and T h B N : a, then T H 4 M[x := N] : r. 

(2) If r \- A M : t, then T[a := B] ^[a-.=B] M [ a . = fi j . T [ a ._ B j_ 

Proof Easy induction on the typing rules. We only show main cases. 
The proof of (1): 

• Case M = x: It is the case that r = a and A = B. So, what we have to show is 
T h B N : t, which is already assumed. 

• Case M = MiM 2 : By the typing rules, we know that T,x : a@B \- A Mi : tq — > r 
and T, x : a@B \- A M 2 : to for some To. By the induction hypothesis, T \- A (M\[x := N]) : 
t ->■ t and T \- A (M 2 [x := N]) : t . By the rule (App), we have T \- A (Mi M 2 )[x := N] : r. 

• Case M = ► a Mq: By the typing rules, we know that r = t> a To and T, x : a@B \- Aa 
Mq : tq. By the induction hypothesis, T \- Aa Mq[x := N] : tq. So, we obtain T \- A 
(> a Mo)[x := N] : > a T . 

The proof of (2): 

• Case M = x: By the typing rules, x : t@A € T. So, x : (r[a := B]) : (A[a := B)) € 
r[a := B]. Therefore, T[a := B] h A ^ a:=B ^ x : r[a := B]. 

• Case M = ►« Mq: By the typing rules, we have r = \>^tq and T h ^ Mq : tq. By the 
induction hypothesis, T[a := B] ^(M°f-=B])((3[a:=B]) M ^ a ._ ^ . T ^ a ._ B y By ap pi yin g 

the rule (►) as many times as required, we obtain T[a := B] \- A i a -= B ] ►m Q:=B i(Mo[a := 5]) : 
>p[a:=B]( T o[ a := B]). By the definition of substitution, this is equal to what we have to show. 
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• Case M = A/3. M$: By the typing rules, we have r = V/3.to and V \- A Mq : tq. More- 
over we can assume without loss of generality that /3 ^ FTV(T) U FTV(^4) U FTV(-B) U {a}. 
By the induction hypothesis, we have T[a := B] \- A i a -= B \ Mo[a := B] : ro[a := B\. Because 
$ FTV(r[a := B)) UFTV(A[a := B}), we obtain T[a := B] \- A l*-=B] (A/3.(M [a := B))) : 
V/S.(ro[a := B]). This judgement is equal to what we have to show. □ 

Theorem 3.2 (Subject Reduction). IfT\- A M:r and M — > M' , then F h A M' : r. 

Proof. By straightforward induction on the derivation of M — > M', using Substitution 
Lemma (Lemma 13. ip . We only show three base cases and omit induction steps. 

• Case M = {\x: t .M ) Mi — > M [x := Ml] = M'\ Because V h A (Ax : r .M ) M x : 
t, we have T, x : tq@A \- a Mq : r and V \- A M\ : ro- By Substitution Lemma (1), we obtain 
T h A M [x := Mi] : r. 

• Case M = (Aa.M ) B — ► M [a := B] = M'\ Because T h A (Aa.M ) B : r, we 
have a £ FTV(r) U FTV(^) and T h A M : r such that r [a := B) = r. By the second 
statement of Substitution Lemma (Lemma l3.ip . we obtain T[a := B] \- A l<*-= B ] M [a := B] : 
TQ [a := B]. Because a <£ FTV(r) UFTV(A), F[a := B] = T and A[a := B] = A. Therefore, 
r h A M [a := B] : r. 

• Case M = < a ► a Mo — > Mq = M'\ By replacing M in the assumption, we obtain 
T \- A < a >- a Mo : r. So we have T h A M : t as required. □ 

Theorem 3.3 (Strong Normalization). Let M be a typable term. There is no infinite 
reduction sequence M — > N\ — > N2 — > 

Proof. We construct a term t](M) of the simply typed A-calculus (A - *') as follows: 

\\{x) = x 
b{\x : t.N) = Xx.\\(N) 
\\(NiN 2 ) = ^(iVi)h(iV 2 ) 
\\(> a N) = \\(N) 
^(< a N) = \±(N) 
tl(Aa.JV) = \\(N) 
)\(NA) = \\(N) 

We can easily prove the following propositions by induction of the structure of M: 

(1) If M is typable in A^, then t](M) is typable in A"*. 

(2) Suppose M — > M'. If this is a /3-reduction step, then \\{M) — ► t](M') in A^. Other- 
wise, \\{M) = \\{M'). 

Now, assume there exists an infinite reduction sequence from a typable term M. It is 
clear that there are infinitely many /3-reduction. By (2), there exists an infinite reduction 
sequence from t|(M), which is typable by (1). This contradicts the strong normalization 
property of A~*. □ 

The last property we will show is confluence. We prove this by using parallel reduction 
and complete development [20]. We define the parallel reduction relation M => N as in 
Figure [2j Notice that, the rule (P--^ ►) allows more than one nested pairs of quoting and 
unquoting to be cancelled in one step: For example, < ai < a2 . . . < an ►«„ . . . ► Q , 2 ► Q , 1 x ==> 
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M =>• N 

(P-VAR) *,A^KTA ( P " TAPP ) 



x^f x K ' M A =>• N A 

M ==> N M N 



\ x : t.M = y~ Xx \ t.N ' (Aa.M) A => JV[a := A] 

M 1 M 2 ^N 1 N 2 v ; ►q M => ►a A^ ; 

M^iV, M 2 ^ 2 (p _ BETA) 



(Xx : t.M 2 ) M 2 Aq [x := JV 2 ] v 7 -* Q M =► <« a N 

M^N _ . M ==>- A^ 

(P-Gen) Ar ( p -^ ►) 



Aa.M=>Aa.Af v 7 ^► A M=^AT 

Figure 2: Rules for Parallel Reduction. 

x. It is not very standard in the sense that parallel reduction usually does not allow "hidden" 
redices (that is, redices that appear only after some other reduction steps) to be contracted 
in one step. We require this definition because a transition variable a can be replaced with 
a sequence A of transition variables during reduction. If A in (P-^ ►) were a, Lemma 13.51 
(2) below would not hold any longer. 

The following lemma relates the reduction relation and the parallel reduction relation. 

Lemma 3.4. ( — >) C (=>) C ( — ►*) 

Proof. ( — >) C can be shown by induction on the derivation M — > N. We can prove 

(=>) Q ( — >*) by induction on the structure of M ==>■ N. □ 

Thanks to this lemma, we know that confluence of — > is equivalent to confluence of 
=>. We prove confluence of ==>■ by showing that ==>■ enjoys the diamond property. The 
following properties of parallel reduction are useful. 

Lemma 3.5. 

(1) If Mi => Aq and M 2 =>■ N 2 , then Mi[x := M 2 ] =>■ Nx[x := N 2 ]. 

(2) IfM N, then M[a := A] =^ N[a := A}. 

Proof. Easy induction on the structure of the derivation M\ ==> Aq and M ==> N, respec- 
tivcly. □ 

Now, we define the notion of complete development and show its key property. The 
complete development M* of M is defined by induction as in Figure [3l 

Lemma 3.6. If M => N , then N ==> M*. 

Proof. By induction on the derivation of M ==^ N with case analysis on M. We show only 
interesting cases. 

• Case (P-Lam): We have M = Xx : t.M and N = Xx : t.N with M =J> N . By 
the induction hypothesis, we have No =>• Mo*. So, by applying (P-Lam) rule, we obtain 
Ax : t.Nq ==> Xx : t.Mq*, as required. 
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X 


— X 




I AX . / .1V1 J 


At ■ -r /If* 




\{AX . T.1V1 J iV J 


— ivi [X . — iv I 




(M Nf 


= M* A* 


(if M ^ Ax : t.M') 


(►«M)* 


= ► aM* 




(<4 ►a M)* 


= M* 






= « Q M* 


(ifM^< A + Aa M' 


(Aa.M)* 


= Aa.M* 




((Aa.M) A)* 


= M*[a := A] 




(MA)* 


= M* A 


(if M / Aa.M') 



Figure 3: Definition of Complete Development. 



• Case (P-TApp): We have M = M A and N = N A with M =>• A . There are 
two subcases. 

Assume Mq ^ Aa.Mi. By the induction hypothesis, we have Ao ==>• Mo*. By applying 
(P-TApp) rule, we obtain N A => M * A. 

Assume Mq = Act. Mi for some Ml. By the induction hypothesis, we have Ao ==> Mo* = 
Aa.Mi*. By the definition of parallel reduction, we have that Ao = Aa.Ni for some N\ and 

Ni => Mi*. 

So, by applying (P-TIns) rule, we obtain (Aa.Ai) A => Mi* [a := A] = M*. 

• Case (P-Ins): We have M = (Aa.M ) A and N = N [a := A] with M => N . 
By the induction hypothesis, we have Ao ==>- Mo*. By applying Lemma 13.51 we obtain 
Ao[a := A] M *[a := A] □ 

It is easy to show diamond property of ==> by using Lemma 13.61 

Lemma 3.7. If M =^> N\ and M iVjj, then there exists N which satisfies Ni =>■ A 
and N 2 => N. 

Proof. Choose M* as A and use the previous lemma. □ 

Theorem 3.8 (Confluence). If M — >* N\ and M — >* A 2 , then there exists N such that 
Ni — >* N and N 2 — >* N. 

Proof. By Lemma 13.41 we have 

(— ►) C (=>) C (—►*). 

So we obtain 

(— ►*) C (=►*) C (—►*), 
which implies ( — )•*) = (^=>*). Therefore what we should show is confluence of =>, which 
is an easy consequence of Lemma 13.71 □ 
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3.5. Annotated Reduction and Time-Ordered Normalization. We introduce the 
notion of stages into reduction and prove the property called time- ordered normalization [TJ 
IIP] , Intuitively, it says that normalization can be done in the increasing order of stages 
and does not need to 'go back' to earlier stages. In other words, once all redices at some 
stage are contracted, subsequent reductions never yield a new redex at that stage. To state 
time-ordered normalization formally, we first introduce the notion of paths from one stage 
to another and a new reduction relation, annotated with paths to represent the stage at 
which reduction occurs. 

A path represents how the stage of a subterm is reached from the stage of a given term. 
For example, if T h Q M and V \- a ^ N for a subterm N of M, then we say the path from (the 
stage of) M to (that of) N is j3. The stage of a subterm may not be able to be expressed by 
a transition (a sequence of transition variables), however: For example, consider the path 
from < a M to M. We introduce formal inverses a -1 to deal with such cases: the path from 
the stage of < a M to that of M is represented by a -1 . Similarly, the path from <pM 
to M will be a/3 -1 . 

Formally, the set of paths, ranged over by T and U, is the free group generated by the 
set of transition variables E. In other words, a path is a finite sequence 66 • • -6> where 
6 = a or a -1 , such that it includes no subsequence of the form a« _1 or a~ l a for any a. 
We define (a -1 ) -1 = a and 

(£l-"£n-l)-(£n+2...£m) (if 6 = C+l) 
(6 ' • ' 6-1 ) ■ (66+1 ■ ■ ■ 6^) (if 6 + )• 

The empty sequence e is the unit element for the operation T ■ U. We simply write TU for 
T ■ U. We define (66 • • • 6)" 1 = C'C-i • • • 

We say a path T is positive if T does not contain formal inverses, in other words, the 
canonical form of T is in £*. We can naturally identify the positive paths with transitions 
and use metavariables A and B for positive paths. We write T < U when there exists a 
positive path A which satisfies TA = U. Clearly, e < T if and only if T is positive. 

T 

The annotated reduction relation is a triple of the form M — > N, where M and N 
are terms and T is a path from the stage of M to that of its redex — more precisely, that 
of the constructor destructed by the reduction, since the stage of a redex and that of its 
constructor may be different as in ►q, in redex < a ►q, M. The definition of the annotated 
reduction, presented in Figure HI is mostly straightforward. For example, a -1 is given to 
< a ►a M — > M (the rule (AR-Quote)), because the path to the constructor is a" 1 . 
As for the rule (AR-^), the path from M to the constructor destructed by the reduction 
is T and the path from >-&M to M is a, hence the path from ►„Mto the constructor is 
given by their concatenation aT. The rule (AR--^) is similar. The rule (AR-Gen) is the 
most interesting. First of all, a is bound here, so, we cannot propagate T in the premise to 
the conclusion to prevent a from escaping its scope. We have found that replacing a with 
e, which is the earliest possible stage, is a reasonable choice, especially for time-ordered 
normalization. 

Annotated reduction is closely related to reduction defined in the previous section. It 

T 

is easy to see that M — > N if and only if there exists T such that M — > N. Furthermore, 
such T is unique. 

The next theorem shows that any reduction occurs indeed at a positive stage. 
Theorem 3.9. If V \- A M : r and M N, then e < AT. 
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T 

(Ax : r.M) N M[x : = N] ( AR - BETA ) M N ^ M N' (AR ~ APP2 

- F (AR-Trans) m M' 

(Aa.M) A M[a := A] ^ (AR-V 



(AR-Quote) t 



MAM' , AT1 a n < a M a ^ < a M> 

(AR-Abs) t 



(ar-< 



Ax : r.M A Ax : r.M' ^ f (AR-Gen) 

M -Z+M' , k n A x Aa.M Aa.M 

(AR-AppI) t 



M A - • M' N " M ' > M' 

Tf, (AR-Ins) 

M A-^ M' A 
Figure 4: Annotated Reduction. 

T 

Proof. Easy induction on the structure of M — > N. □ 

We say M is T-normal when there are no U < T and iV such that M — > N. Then, 
we can state time-ordered normalization as follows: 

Theorem 3.10 (Time Ordered Normalization). Let M be a typable term. If M is T-normal 
and M — >* N , then N is T-normal. 

Proof. See Appendix [A] □ 

As its corollary, we know that for any reduction to a normal form from a typable term M 
is "rearranged" according to an increasing order between stages. Moreover, this increasing 
order can be any total order that respects <, i.e., includes < as a subset. 



Corollary 3.11. Let M be a typable term and -< be a total order that respects <. Then, 

there is a reduction sequence M — ^> N\ • • • N n , which satisfies T\ r< T^ T2 • • • ^ T n 
and N n is a normal form. □ 



3.6. Programming in X > . We give an example of programming in X > . The example is the 
power function, which is a classical example in multi-stage calculi and partial evaluation. 
We augment A 1 * with integers, Booleans, arithmetic and comparison operators, if-then-else, 
a fixed point operator fix, and let. In the next section, we will formalize such a language 
(without let) as MiniMI/ and study its evaluation in more detail. For readability, we often 
omit type annotations and put terms under quotation in shaded boxes. 
We start with the ordinary power function without staging. 

let power : int — > int — > int 

= fix /. An. Ax. if n = then 1 else x * (/ (n — 1) x) 

Our purpose is to get a code generator power v that takes the exponent n and returns 
(closed, hence runnable) code of Ax.x * x * ... x * 1, which computes x n without recursion. 
Here, we follow the construction of code generators in the previous work |15^ 114], 
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First, we construct a code manipulator powei^ : int —¥ \> a 'mt — > >Q,int, which takes an 
integer n and a piece of integer code and then outputs a piece of code which concatenates the 
input code by "*" n times. It can be obtained by changing type annotation and introducing 
quasiquotation. 

letpower 1 : int — > l> Q int — > > a int 
= fix/. Xn. Xx: Q int. 

if n = then (► a 1) else ► Q! ({< a x) * (< a f (n — 1) x)) 

Then, from powei^, we can construct a code generator power a of type int — > l> a (int — > int), 
which means it takes an integer and returns code of a function. 

letpower a : int — > t>Q,(int — > int) 

= An. ► Q ,Ax:int. < a (power! n (► Q x)) 

It indeed behaves as a code generator: for example, power Q 3 would evaluate to the code 
value ►q Xx : int .x * (x * (x * 1)). 

This construction is independent of the choice of the stage a. So, by abstracting a at 
appropriate places in powei^ and power Q , we can obtain the desired code generator, whose 
return type is a closed code type V7. > 7 (int — > int). 

let power 2 : V/3. int — > [>gint — > o^int 
= A/3, fix /. An. Xx : >g int. 

if n = then (►^l) else ► /3 ((^ i gx) * {<pf (n - 1) x)) 

letpower v : int — > V7. > 7 (int — > int) 

= Xn. A7. ►-y Xx :int. -4 7 (power 2 7 n (►-y x)) 

The output from power v is usable in any stage. For example, if we want code of a cube 
function at the later stage, say A, then we write power v 3 A. In particular, when A is the 
empty sequence e, power v 3 e : int — > int evaluates to a function closure which computes 
x * x * x * 1 from the input x. The former corresponds to CSP (of closed code) and the 
latter to run. 

4. MiniML^ 

We extend A 15, and define an ML-like functional language MiniMI/, which has, in ad- 
dition to the features of X > , integers, arithmetic and comparison operations, Booleans, 
conditional expressions, and the (call-by-value) fixed-point combinator fix. We define the 
type system and big-step evaluation semantics for MiniML^ and prove type soundness. In 
this semantics, bindings of transition variables have to be maintained at run time. So, we 
investigate a fragment of MiniMI/, in which programs can be executed by mostly forgetting 
information on transition variables. We give another type system, which identifies such a 
fragment, and erasure translation, which removes transitions from terms, and alternative 
evaluation semantics for erased terms. Then, we prove the erasure property, which says 
program executions before and after erasure agree. 
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4.1. Syntax and Type System. The syntax of types and terms of MiniMI/ is denned 
as follows, where n and bv are metavariables ranging over integers and Boolean constants 
true and false. 

Types t ::= int | bool | r — ¥ r | t> Q r | Va.r 

Terms M ::= x \ n \ bv \ M = M \ M + M \ M-M \ M * M 

j if M then M else M j fix / : r a.M \ Xx : r.M \ MM 
► tt M < a M | Aa.M | MA 

The type system is given as a straightforward extension of that of A^. We show typing 
rules for the additional constructs. 

raeZ bv e {true, false} 

r H* n : int (lNT ° } f P 6, : bool (BOOLC) 

T h A M : int T h A iV : int 

r h" 4 M = N : bool ^ Q ' ) 

rh A M:int rh A A^:int 0g{+,- *} /T 
rh A MOiV:int (lNTOP) 

Th A M : bool r h A Ni : r T h A iV 2 : r 

r h A if M then JVi else N 2 ' F * 

TJ:T^a@Ah A M-.T^a 

r h A fix / : r cj.M : r ->■ a ^ IX) 

We use the same notations for term substitution M[x := iV], and transition substitution 
t[q := A] and M[a := ^4] and other auxiliary notions, which can be similarly defined. It is 
easy to prove that MiniMI/ also enjoys Substitution Lemma. 

Lemma 4.1 (Substitution Lemma). 

(1) IfT,x: a@B h A M : r and T h B N : a, then V h A M[x := N] : r. 

(2) If r \- A M : t, then, T[a := B] ^ A i^-=B] M [ a . = 5 ] . T [ Q . = B ]_ 

Proof. The proof is essentially the same as that of Substitution Lemma for (Lemma l3.1|) . 

□ 



4.2. Evaluation and Type Soundness. Now, we give a big-step semantics and prove 
that the execution of a well- typed program is properly divided into stages. The judgment 
has the form \- A M JJ. R, read "evaluating term M at stage A yields result -R," where R is 
either err, which stands for a run-time error, or a value v, defined below. Values are given 
via a family of sets V A indexed by transitions, that is, stages. The family V A is defined by 
the following grammar: 

v e G V £ ::=n \ true | false | Xx : r.M \ V a \ Aa.V £ 

v A G V A (A 7^ e) ::= x \ n \ true | false | Ax : t.V a \ fix / : r ->■ a.V A 

| V A V A | ► a F Aa | Aa.y A | T/ A £ 

| ^ Q (if A' a = A and A' ^ e) 

The index A represents the current stage in which a value is typed. So, the index changes 
under quoting and unquoting. Note that a value at a higher stage (that is, under quotation) 
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include free variables, applications and instantiation since computation is suspended. For 
example, x y € V a and so >- a x y £ V s . 

Figure [5] shows the evaluation rules. Notice that metavariables M or N for terms 
(not values) are used on the right side of JJ., since it is not immediately clear that a result 
is really a value of a proper form (or err) — we will prove such a property as a theorem. 
The evaluation is left-to-right and call- by- value. The rules in Figure [5)^1) are for ordinary 
evaluation. The rule for < a M means that quote is canceled by unquote; since the resulting 
term M' belongs to the stage a (inside quotation), a is attached to the conclusion. As 
seen in the rule for Aa.M, A does not delay the evaluation of the body. The rule about 
instantiation of a transition abstraction is straightforward. The rules for stages later than e, 
which are in Figure [5^2), are all similar: since the term to be evaluated is inside quotation, 
each term constructor is left as it is and only subterms of stage e will be evaluated. We also 
need rules for handling erroneous terms, such as: 

HM^M' M'<£Z g {+,-,*,=} h^M^err Q £ {+,-*,=} 
h £ MON JJ. err h A MQN jj err 

They are shown in Appendix iBl 

We show a few properties of the big-step semantics. The first theorem says that evalu- 
ation is deterministic. 

Theorem 4.2. If \- A M JJ. i? and h A M J| R' , then R = R' . 

Proof. By straightforward induction on the derivation of \- A M JJ- R. □ 

The second theorem below says that, unless the result is err, the result must be a value 
even though the rules do not say it is the case. 

Theorem 4.3. Suppose \- A M JJ. R. Then, either R = err or R € V A . 

Proof. By easy induction on the derivation \- A M JJ. R. □ 

The last property is type soundness and its corollary that if a well-typed program of 
a code type yields a result, then the result is a quoted term, whose body is also typable 
at stage e. Unlike a usual setting where only closed terms are considered programs, free 
variables at non-e stages are considered symbols and do not cause unbound variable errors 
in MiniMI/, so we relax the notion of programs to include terms that contain such symbolic 
variables. We say that T is e-free if it satisfies A ^ e for any x : t@A £ T; then, a program 
is a term which is typed under an e-free environment. In the statement of Type Soundness 
Theorem, we also use the notation T~ A , defined by: T~ A = {x : t@B | x : t@AB G T}. 

Theorem 4.4 (Type Soundness). IfTis e-free and V h e M : r and h e M JJ. R, then R = v 
and v £ V s for some v and Y h e v : r. In particular, if r = > a i~o, then v = ►q N and 
T~ a h £ N : 7- . 

Proof. See Section lC.il □ 
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h £ M JJ m \- e N i}.n m = n h £ M JJ m h £ TV Jj. n m^n 
P M = N JJ true h £ M = /V JJ false 

h £ M JJ, m h £ iV JJ, n k = m<)n (where G {+, -, *}) 

P MOiV JJ, fc 

K M JJ. true K iVi JJ. N[ H £ M JJ. false h £ iV 2 JJ JV£ 

h £ if M then TVi else 7V 2 JJ AT( K if M then iVi else 7V 2 JJ N' 2 

K M JJ Ax : r.M / h £ N JJ iV' h £ M'[x := N'} JJ- M' 

K Ax : r.M JJ Ax : t.M h £ M N JJ M" 

h a M JJ M' h £ M JJ ►a M' h £ M JJ M ' 

h £ ►„ M JJ M 7 h a ^ a M JJ M' K Aa.M JJ. Aa.M' 

h £ M JJ Aa.M' h £ M'[a := B] JJ M" c G Z U {true, false} 

h £ M 5 JJ M 77 h £ cJJc 

h £ M[/ := fix / : r -» q.M] JJ M' 
\~ £ fix / : t — y a.M JJ M 7 

(1) Rules for ordinary evaluation. 

h A MJJM' h A jVJJA^ Q£{+,-,*,=} 
h A MQN JJ, M'OiV' 

h A m jj a/' h A JVi jj iyj h A n 2 jj jv£ 

h A if M then iV~i else N 2 JJ if M 7 then N[ else 7V^ 

h A M JJ M' h A M JJ M' h A N JJ AT' 

h A x JJx h A Ax : r.M JJ Ax : t.M' h A M N JJ M' N' 

h Aa M JJ M' h A M JJ M' h A M JJ M' 

h A M JJ ►a M 7 h Aa < a M ^< a M' h A M B JJ M' B 

h A M JJ M' c G Z U {true, false} 

h A Aa.M JJ Aa.M' h A c JJ c 

h A M JJ M' 
\~ A fix / : t — y a.M JJ fix / : r -)• cr.M' 

(2) Rules for evaluation inside quotation. Here, A ^ e. 



Figure 5: Big-Step Semantics of MiniMIA 
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4.3. Staged Transition Variables for Erasure Property. The evaluation of MiniMI/ 
introduced above relies on the annotation of transition variables. For example, consider two 
terms 

M l = (Aa> a (Ax.l)(^((flx /./)2))) e 
M 2 = (Aa> a (Ax.l)(*- a ((flx /./)2))) e. 

The only difference is the annotation on ►((fix f.f)2), but h e Mi JJ. 1 whereas there is no 
term N such that h e M 2 JJ- N. In other words, the evaluation of Mi terminates but that of 
M 2 diverges. Therefore, we must record how transition variables are bound to transitions 
during evaluation. 

From the implementation point of view, it is desirable that evaluation is insensitive to 
the annotation as much as possible to avoid overhead. In \ a [9], environment classifiers 
can be regarded as completely static citizens so that the evaluation does not require them, 
although the authors do not explicitly state it. The property that the evaluation goes well 
even if we erase the annotations is called erasure property. The previous example shows 
that the erasure property does not hold for MiniMI/. Since the argument B, especially, 
its length, in an instantiation M B is significant at run time, we cannot erase transitions 
completely. So, we consider a slightly weaker notion of erasure, which removes transition 
variables only from ► , < and A and replaces the transition B in M B with its length. The 
goal of this section is to find a practically meaningful subset of MiniMI/, which enjoys the 
erasure property under the translation sketched above. 

The reasons why the erasure property is broken are (1) A-bound transition variables 
are used "too far" from the binder, as is the case in M 2 and (2) the "depth" of quoting 
► Q can be changed by using instantiation with a transition, whose length is not 1. In the 
case of M 2 , there is an occurrence of transition variable a far from the binder and a is 
instantiated by e, whose length is 0. So, to ensure the erasure property, it is enough to 
prevent both (1) and (2) from holding at once, in other words, to guarantee that A-bound 
transition variables occur near the binder or to restrict instantiations to only transitions of 
length 1. 

Based on this observation, we will introduce two instantiation rules. The first rule is 
for instantiation of transition variables used only near the binder. We can change the depth 
of quoting by using this rule, but this rule can be applied only in limited situations. The 
second rule is for instantiation of transition variables by transitions, whose lengths are 1. 
This rule can be applied to any V- types, but we cannot change the depth of quoting. We 
introduce a new term constructor M [a] to distinguish from the former. 

The first instantiation rule requires some control on the occurrences of transition vari- 
ables. We enforce one additional restriction, which requires that transition variables be also 
staged like term variables. This restriction rejects a type with nested occurrences of > a , 
such as Vq. > a > a T, whose term would have a distant use of ► a . This restriction is closely 
related to the distinction between open and closed code types in X 1 [16] . 

We define a new type system with staged transition variables. We need two changes to 
deal with the stages for transition variables. First, we introduce environments for transition 
variables. A transition environment is a set of the form {cti@Ai, . . . , a n @A n }, where on are 
distinct transition variables. An intuitive meaning of a@A is that the valid occurrence of a 
is always of the form Aa. The second change is the annotation for the universal quantifier. 
The new syntax for universal quantification is Va@A.r, where A is the (positive) path from 
the current stage to the stage in which a is usable. 
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Figure 6: The definition of well-formed types under the transition environment A. 



Next, we define well-formed transitions, transition environments, types, and type en- 
vironments to ensure every use of a transition variable is valid. We say a transition A = 
ct% . . . a n is well formed under a transition environment A if, for any i < n, ai@a± . . . € 
A. We say A is well formed if, for any a@A € A, A is well formed under A, i.e., all stages 
where transition variables are declared are well formed. This definition avoids the circular 
definition of transition variables, e.g., q@/3,/3@q. We write A h s A if A is well formed 
under A, and h s A if A is a well-formed transition environment. 

The judgment of the form A r means "type r is well formed at stage A under A", 
and defined by the rules in Figure El The base types int and bool are always well formed 
at any well-formed stage. The rules for r — > a and > a T resemble the typing rules (Abs) and 
(►), respectively. The type Va@B.T, which binds a new transition variable a, is well formed 
at A under A if r is well formed under the transition variables environment extended by 
the new transition variable declaration a@AB. Finally, we define well-formedness of type 
environment T under A, written Ah s T, by: T is well formed under A if and only if A is 
well formed and, for any x : t@A € T, t is well formed at A under A (i.e., A \-f r). 

Figure [7] shows the typing rules that differ from the previous type system (except the 
addition of A). They have additional premises about well-formedness. The rule (S-Var) 
requires the well-formedness of environment T, x : t@A, which will require well-formedness 
of the type r at A and the transition environment A. The rules (S-Num) and (S-Bool) 
require the well-formedness of the environment T and the stage A, which ensures the well- 
formedness of the base types. The typing rule (S-Gen) records the path from the current 
stage to the stage in which a is usable. This information is used by the rules (S-Ins1) and 
(S-Ins2). As mentioned above, there are two kinds of transition instantiation rules and 
corresponding term constructors. The first one (S-lNSl) is computationally meaningful, in 
other words it may change the depth of quoting, but can be used only in limited situations. 
The second one (S-Ins2) does not change the depth of quoting, so this is computationally 
meaningless and we can use anytime. Here, substitution for a transition variable a in 
\/a@A.r (among other types) is defined as follows: 

(Va@Ar)[/3 := B] = Vq@(A[/3 := B]).(t[/3 := B]) 

It is easy to see that r;Ahf M:t implies T \- A M : t. 

Now, we define the syntax for erased terms, terms after erasure and the erasure trans- 
lation from terms to erased terms, and the big-step semantics for erased terms. The 
syntax of erased terms, ranged over by M' 9 , is as follows: 

Erased Terms M b ::= x \ n \ b \ M b = M b | M b + M b | M b - M b | M b * M b 

| if M b then M b else M b | fix /.M b | Ax.M b | M b M b 
| ►M b | < M b j AM b | M b [] | M b n (n > 0) 
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A h s T,x : t@A ai FTV(T) U FTV(A) 

T,x:T@A;Ahf x:t ^~ Var ) T; A, a@AB \-f M : r 



Ah T Ah A r ; Ah f Aa - M '■ VaOS.r 

T; A h? n : int ( S " NuM ) T: A M : Va@e.r 



(S-Gen) 



Ah.r Ah SJ 4 ^, fS-lNSl) 

g {true, false} r;Ahf MB: r[a := -B] S) 

F; Ahfbv: bool ^- BoOL ) T; A h^ 1 M : Va@5.r 

/3@AB € A ^ . 

r;Ahf M[/3]:r[a := /?] (S " lNS2) 

Figure 7: The typing rules which differ from the previous type system. 

The erasing function b(-) from terms to erased erased terms is defined as follows: 

b( c ) = c (c€ZU {true, false}) 

b(MOiV) = b(M)0b(iV) (0€ {+,-,*,=}) 

b(if M then Nt else N 2 ) = if b(M) then b(iVi) else b(iV 2 ) 

b(fix / : t -» cr.M) = fix /.b(M) 

b(Ax : t.M) = Ax.b(M) 

b(MiV) = b(M)b(iV) 

\>(> a M) = ►b(M) 

b(^ a M) = <\>{M) 

b(Aa.M) = Ab(M) 

b(M[/3]) = b(M)[] 

b(M A) = b(M) n (n is the length of A). 

n n 

So, \>{*> A M) = +~^~+{>(M) and b(^M) =T^~<\>(M) where n is the length of A. 

The erasure semantics is essentially the same as the ordinary evaluation semantics in 
Section \A.2\ except for the two differences: one is that the stage A of \- A M JJ N is replaced 
by the natural number n, which is the length of A; and the other is that the rule for Mn at 
the stage 0. In this case, M must be evaluated to A ► M' and ► at its head is duplicated 
by n times. We show only main rules below. 

h° e M b JJ ► N b hg +1 M b JJ N b h° M b JJ AA^ b 
4 <« M b 4 N b ► M b JJ ► A/ b h° M b [] JJ iV b 



h° M b Jj. A ► Af b h° e M b JJ iV b 

h° M b n JJ. N b 

Finally, we state the erasure property: the erasure semantics is equivalent to the se- 
mantics with transition variables for terms typed under the new type system. 

Theorem 4.5 (Erasure Property). Suppose V is e-free and T; A \- £ s M : r. Then, 
(1) i/K M JJ. iV, i/ien h° b(M) JJ. b(N); and 
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(2) if\-° b(M) ^ N b , then there is some N' such that h e M $ N' and N b = b(N'). 

Proof. See Appendix I C. 2 [ □ 

We believe that the calculus with this new type system does not lose much expressive- 
ness for practical use; in fact, the example of power functions in Section [3761 can be typed 
with the new type system. 



5. Kripke Semantics for and Logical Completeness 

In this section, we formalize the Kripke semantics discussed in Section [2] and prove com- 
pleteness of a classical version of the proof system obtained from to justify the informal 
interpretation of types in A 6 " as formulae of a logic. We augment the set of propositions 
(namely types) with falsity and the proof rules with double negation elimination. It is left 
for future work to study the semantics of the intuitionistic version, of which recent work on 
Kripke semantics for intuitionistic LTL \18\ 119] can be a basis. 

First, we (re)define the set of propositions and the natural deduction proof system. 
Then, we proceed to the formal definition of the Kripke semantics and prove soundness and 
completeness of the proof system. Finally, we examine another rule for the double negation 
elimination. 



5.1. Natural Deduction. The set <&±, ranged over by 4> and tp, of propositions is given 
by the grammar for $ extended with a new constant _L. 

The natural deduction system can be obtained by forgetting variables and terms in 
the typing rules. We add the following new rule, which is the ordinary double negation 
elimination rule, adapted for this setting: 

r,(^i)Qih g i 
FF*> (± ~ E) • 



5.2. Kripke Semantics and Completeness. As mentioned in Section 2, the Kripke 
semantics for this logic is based on a functional transition system T = (S, L, {-^ \ a € L}) 
where S is the (non-empty) countable set of states, L is the countable set of labels, and 
— —> 6 S — > S for each label a € L. We write s a - — % n s' if there exist s±, . . . , s n -\ such that 
s — s\ • • • — > s n _i s'. Actually, given s, a±, . . . , a n , s' always exists in this setting 
because -^4 is a total function for all 1 < i < n. 

To interpret a proposition, we need two valuations, one for propositional variables and 
the other for transition variables. The former is a total function jjESx PV — > {0, 1}; the 
latter is a total function p € X — > L* , where L* is the set of all finite sequences of labels. 
Then, we define the satisfaction relation T , v, p; s lh cfi, where s G S is a state, as follows: 



T,v 


p] 


s 1 


- p 


iff 


v(s,p) = 1 




T,v 


p] 


s 1 


- 1 




never occurs 




T,v 


P\ 


s 1 


- (j) — > 1p 


iff 


T, v, p-sf 4> 


or T, v, p; s lh tp 


T,v 


P\ 


s 1 


- > a (f) 


iff 


T, v, p; s' lh <p 


where s ^-4 s' 


T,v 


P\ 


s 1 


- Va.(f) 


iff 


for all A € L* 


, T,v,p[A/a];s\\- 



A LOGICAL FOUNDATION FOR ENVIRONMENT CLASSIFIERS 



23 



Here, p[A/a] is defined by: p[A/a](a) = A and p[A/a}(/3) = p(/3) (for /3 / a). The 
satisfaction relation is extended pointwise to contexts T (possibly infinite sets of pairs of a 
proposition and a transition^) by: 

T, v, p; s Ih T iff T, v, p; s Ih o^^ for all c/>@A € T . 

The local consequence relation r Ih <f> is defined by: 

r Ih iff T, v, p; s Ih T implies T, i>, p; s Ih for any T, u, p, s . 

Then, the natural deduction proof system is sound and complete with respect to the 
local consequence relation. The proof is similar to the one for first-order predicate logic: 
we use the standard techniques of Skolemization and Herbrand structure. 

Theorem 5.1 (Soundness). IfT\- £ <p, then V Ih (j). 

Proof. By induction on the derivation of T h e (p. □ 
Theorem 5.2 (Completeness). If Y Ih <f>, then V h e <fi. 

Proof. We give a proof sketch; more detailed proofs are found in Appendix [Dl 

We assume T > ze (p. We construct a transition system T, two valuations v and p and 

a state s such that T,v,p;s Ih T and T,v,p;s Ih 4>. The construction is similar to the 

construction of counter models in first-order predicate logic. 
First, we prove the following proposition. 

rh £ 1 implies there exists T, v, p and s such that T,v, p;s Ih T. 

We can reduce this proposition to the completeness of quantifier-free logic (the logic without 
the quantifier over transition variables) by using Skolemization and Herbrand Universes. 

Then, we prove this theorem by contraposition. Because T F e cj>, we have T, <j> — > _L@e Y~ e 
_L. Therefore, there exist T, v, p and s which satisfy T, v, p; s Ih T and T, v, p; s Ih <f> — > _L. 
Then, T,v, p; s ¥ <f> because T, v, p; s Ih <fi — > _L. Therefore, r ¥ (p. □ 



5.3. Alternative Semantics. We can give an alternative deduction rule for double nega- 
tion elimination. 



r h y 



(±-E) 



The difference is in the stage of the premise. This rule requires that the stage of _L is equal to 
the stage of <j> _L, but in the rule in Section ^. li the stage of _L is arbitrary. This restriction 
makes the proof system weaker: for example, in this setting > a is not self-dual, that means 
-i > a -H> > a (f> is not provable (here —></> is an abbreviation of (j) — > _L), while under the 
previous rules > Q is self-dual. The difference is equivalent to the axiom >a-L ^ >b^- ( or 
a weaker form Va.(> Q _L — > _L)) in the sense that this system with this axiom is equivalent 
to the previous proof system. This axiom corresponds to the axiom Q^A <R> -i O A in 
linear-time temporal logic, due to Stirling [13j . 



^We allow r to be infinite for technical convenience. For an infinite context F, we write T h A (f> if there 
exists a finite context r'CT such that F' h' 4 (j>. The following argument holds if we restrict F to be finite 
because the logic is compact, i.e., F is unsatisfiable if and only if there exists a finite subset F' C F such that 
r' is also unsatisfiable. For more detail, see Appendix iDl 
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lb] = b 

[O] = > a [r] 

M = x 

{Xx:r.M\ = Xx : [r].[M] 

[MN\ = [Mj[iV] 

[next M] = ► a [M] 

[prevM] = < a \M\ 



lT,x:A@n] = m,x :lA}@a n 
Figure 8: Embedding from AO to X > . a is a fixed transition variable. 

There is a corresponding semantics, with respect to which the new proof system is sound 
and complete. In fact, this is achieved by a minor change: we allow transition functions 

to be partial. As a result, there can be no s f such that s ^4 s'. In this setting, the 
semantics for > a (p has to be modified. We define s a ljC% n as there is no s' which satisfies 
s a i^4 n s ' 5 and T, v, p; s lh > a (j) as follows: 

T, v , p; s lh o a iff s or 7", f , p; s' lh <f> where s ^4 s' 
Completeness and soundness are proved similarly. 

6. Comparing with other multi-stage calculi 

In this section, we will compare X > with closely related calculi AO [7], the Kripke-style 
modal A-calculus 0, X a [9] and X 1 [16]. The first two calculi are based on Curry-Howard 
correspondence between multi-stage calculi and modal logics and our work can be considered 
a generalization of them. In fact, there are embeddings from these two calculi to A l> . The 
calculi X a and A* are multi-stage calculi with environment classifiers. We discuss several 
differences among these two calculi and X^. Although it does not seem possible to give 
(straightforward) embeddings from them, due to the presence of CSP, we will show that an 
embedding from the CSP-free fragment of A* to A 1 * is possible. 

6.1. Comparing with A°. A° [7] is a multi-stage calculus corresponding to linear-time 
temporal logic (LTL). As already mentioned in Section AO is obtained by using only one 
transition variable, say a. Then the modal operator O to mean "next" in LTL corresponds 
to the modal operator t> a and the stage n in LTL corresponds to a n and so on. We define 
an embedding [•] from X® into X^ in Figure El This embedding is essentially the same as 
that from A^ calculus into A a , given by Taha and Nielsen [9]. 

The following two theorems show the correctness of the embedding. 
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m = b 

[□r] = Va.> a [r] 

{xj A = x 

\\x:t.M\ A = Ax:[r].[Mf 

{MN} A = [M\ A [N\ A 

[box M] A = Act. + a lM] Aa (where a £ FTV(A)) 

[unbox n M] A = < B {M\ A ' B 

(where A = A'B and the length of B is n) 

[xi : n, . . . x n : T n ] A = x x : [n]@A, ...,x n : \T n ]@A 

[To;--- ;r n ] ai -«» = [r ] e , • • • , [1^-"% . . . , [r re p™ 
Figure 9: Embedding from the Kripke-style modal A-calculus to A > . 
Theorem 6.1. IfTh n M : r in \0 , then {Tj h a " [Mj : [rj. 

Proof. By induction on the type derivation. □ 

Theorem 6.2. Let Af, 6e A° terms. Then, M — > N iff {Mj — ► {NJ. 

Proof. By induction on the structure of M. □ 

Moreover, by giving a suitable definition of reduction annotated with time for AO, we 
can easily show that the embedding preserves the stage of reduction. 

We can construct a reverse mapping, a type- and reduction-preserving embedding from 
the quantifier- free fragment of A > to AO, by simply forgetting annotations of transition 
variables. Moreover, the quantifier-free fragment of A^ with only one transition variable 
is isomorphic to A^ in the sense that there is a bijection that preserves typability and 
reduction. 

6.2. Comparing with Calculus based on S4. Davies and Pfenning [8j[T2] develop calculi 
that correspond to intuitionistic modal logic S4 (only with □). The type Dr represents 
closed code values, which thus can be run or embedded in code of any later stages, as is 
possible in A > . We compare A^ with one of their calculi (what they call the Kripke-style 
modal A-calculus in Section 4 of [8]), in which, there are box and unbox n for quoting and 
unquoting, respectively (see Pfenning and Davies [8] for details). An embedding [•] from 
this calculus into A 6 " is given in Figure [9l 

The following theorems state the correctness of the embedding. 

Theorem 6.3. Consider a sequence A of distinct transition variables of length n. Then 
F ;r 1 ;...;T n h M :t implies {T ; . . . ; T n j A h A \M\ A : [r]. 

Proof. An easy induction on the type derivation Tq; . . . ; T n h M : r. □ 
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Theorem 6.4. Let A be a sequence of distinct transition variables of length n. Provided 
that To; . . . ;T n h M : r is derivable in the Kripke-style modal X-calculus, then M — >p N 
iff\M\ A ^{Nj A . 

Proof. By induction on the structure of M. □ 

Taha and Nielsen have shown a similar embedding from the Kripke-style calculus into 
A a . In their embedding, the translation of unbox, which corresponds to the elimination rule 
for □, is slightly more involved than ours, since they use run and the CSP operator. In our 
embedding, on the other hand, unbox is expressed uniformly by M B, which corresponds 
to the elimination rule for V. 

6.3. Comparing with A Q and A 1 . Comparing A 15, with A Q [9], we can point out two dif- 
ferences: the meaning of run and the absence of CSP primitive. 

In X a , run is a primitive, while, in X > , run M is defined as a syntax sugar for M e. 
The following rules are typing rules for run in A a and A > , respectively. 

Th A M : (a)(T) a F h A M : Va.r 

r h A run M : (a)r V h A Me : r[a := e] 

Aside from the presence of a binder (a), which is not essential, an important difference is 
how code type constructors are removed in the conclusion. In X a , run removes only the 
outermost bracket annotated with a, while, in X > , Me removes all code-type constructor 
o Q in t. This difference in typing rules is also reflected in reductions. 

run (a)(v) a — > (a)v 

(Aa.v) e — > v[a := e] 

(Here we assume that v does not contain the CSP constructor to simplify the argument — 
See [9] for the complete definition.) So, it does not seem very easy to give an embedding of 
either direction. 

From a practical point of view, we do not think this difference is very significant. It is 
not clear when one wants to share one environment classifier or transition variable among 
different stages. If the use of classifiers or transition variables is staged, as we discussed 
in Section 14.31 then the difference is very little. In fact, the current implementation of 
MetaOCaml is based on A 4 , which can be considered a subset of both X a and X > (if CSP is 
ignored), and this fact shows that the difference is practically insignificant. 

As another difference, A Q allows the CSP constructor % to be applied to any terms to 
embed the value of the term inside a quotation. It is easy to see that 4>@e \- a 4> is n °t 
provable in general and so such a universal CSP operator would not be expressible in X ". 
However, we can support CSP for many types. CSP for values of base types such as integers 
and Booleans is easy. CSP for function closures is also possible if they do not contain open 
code in their bodies or environment. We can deal with CSP for closed code, i.e., the terms 
which have types of the form Va. o a r with a ^ FTV(r), as syntactic sugar in A > . The 
following rules are for CSP in X a and for CSP as syntactics sugar in A > . 

r \- A M : r r \- A M : V/3. > i g r /3 £ FTV(r) 

r h Aa % M : t T h Aa Ap.(< a (M a/3)) : V/3. >^ r 
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m - 

>«{t] 



Ma. > a [rj (where a <£ FV(r)) 



l x i A 
{\x.M} A 

{MN] A 
l(M)j 
l~Mj 
[run Mj 
[open Mj 
[close Mj 



Xx : t.{MJ a (r should be chosen appropriately) 
Wi A {Nj A 

► a [M] (a should be chosen appropriately) 
•^ a [M] (a should be chosen appropriately) 
[Mjs 

[M] a (a should be chosen appropriately) 
Aa.[M] (a should be chosen appropriately) 



[xi : T Al ,...x n : r An j = xi:[Ti]@Ai,...,x n :[T n ]@A n 

Figure 10: Embedding from A* without CSP primitive to X^. Precisely speaking, in order 
to recover r and a, which appear only on the right hand side, this embedding 
takes type derivations of X 1 rather than terms as an input. 



The only problematic case is CSP for open code and, as mentioned above, functions con- 
taining open code, but we think it is rarely needed. 

A* [16] is developed as a subset of X a where type inference is possible (although there 
are slight differences in syntax and typing). The difference between A^ and X 1 , is smaller 
than that between A > and X a . In fact, we can construct an embedding that preserves typing 
from A* (without the CSP operator) into A 1 *, by observing that the executable code type 
(r) in X 1 corresponds toVa. > a t (where a ^ FTV(r)) in A > . Figure [TUI shows the complete 
description of the embedding. Precisely speaking, it takes a type derivation rather than 
terms: For example, the rule for open means 

r \- A M : It) 



T h A open M : (r) Q 



[r h M : (r)] a, 



(note that a does not appear in the term open M and it comes from the derivation) and 
the rule for close means 



r h M : It) 



a <fr FV(r,A,r) 



T h A close M : (t) 



Ao.jr h A M : (r) a J. 



Theorem 6.5. For any X 1 term M , which does no t contain %, ifT\- A M : t in X 1 , then 
[r] h A [Mj : [r]. 



Proof. Easy induction on the type derivation. 



□ 
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Preservation of the semantics is hard to discuss precisely. First of all, the semantics 
of A* is not given in [16] in spite of the subtle syntactical differences between A" and A*. 
However, as far as we guess, the semantics of X 1 seems very close to the erasure semantics 
in Section 14.31 and then we expect to have preservation of the semantics. 

7. Related Work 

Multi-Stage Calculi Based on Modal Logics and Their Extensions. Our work can 
be considered a generalization of the previous work on the Curry-Howard isomorphism 
between multi-stage calculi and modal logics OEKlO]. As we have seen in Section El there 
are embeddings from A^ 1 and A n to A 1 *. 

The restriction of A n that all code be closed precludes the definition of a code generator 
like power v , which generates both efficient and runnable code. Nanevski and Pfenning |21| 
have extended A D with the notion of names, similar to the symbols in Lisp, and remedied 
the defect of A D by allowing newly generated names (not variables) to appear in closed 
code. 

Taha and Sheard [5] added run and CSP to A^ and developed MetaML, but its type 
system was not strong enough — run may fail at run-time. Then, Moggi, Taha, Benaissa, 
and Sheard [14] developed the calculus AIM ("An Idealized MetaML"), in which there are 
types for both open and closed code; it was then simplified to A BN , which replaced closed 
code types with closedness types for closed terms that are not necessarily code. Both calculi 
are based on categorical models and have sound type systems. The notion of a-closedness 
in A Q can be considered a generalization of A BN 's closed types. In fact, the typing rule for 
run in A BN is similar to the one in X a . Although some of these calculi have sound type 
systems, it is hard to regard them as logic, mainly due to the presence of CSP, which delays 
the stage of the type judgment to any later stage, and the typing rule for run (as discussed 
in Section I6.3P . 

More recently, Yuse and Igarashi have proposed the calculus AO D [10] by combining 
AO and A n , while maintaining the Curry- Howard isomorphism. The main idea was to 
consider LTL with modalities "always" (□) and "next" (0)> which represent closed and 
open code types, respectively. It is similar to AIM in this respect. Although AO D is based 
on logic, it cannot be embedded into X > simply by combining the two embeddings above. 
In fact, in AO n , both directions of □ O r C"— ' r are provable, whereas neither direction 
of (Va. > a >rt) \>pia. > a t is provable in A 6 ". However, in AO n it seems impossible to 
program a code generator like power v , which generates specialized code used at any stage; 
the best possible one presented can generate specialized code used only at any later stage, 
so running the specialized code is not possible. 

It is considered not easy to develop a sound type system for staging constructs with 
side effects. Calcagno, Moggi, and Sheard developed a sound type system for a multi-stage 
calculus with references using closed types [22]. It is interesting to study whether their 
closedness condition can be relaxed by using a-closedness. 

Other Multi-Stage Calculi. Kim, Yi, and Calcagno's Aopen |11] is a rather powerful 
multi-stage calculus with open and closed code fragments, intentionally variable-capturing 
substitution, lifting values into code, and even references and ML-style type inference. The 
type structure of Xopen is rather different: Since variables in code values can escape from 
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its initial binder's scope and get captured by other binders, a code type records the names 
of free variables and their types, as well as the type of the whole code. It is not clear 
how (a pure fragment of) the calculus can be related to other foundational calculi; possible 
directions may be to use the calculus of contexts [23] by Sato, Sakurai, and Kameyama, 
and the contextual modal type theory by Nanevski, Pfenning, and Pientka [24] , 

Viera and Pardo [25] have proposed a multi-stage language with intensional code anal- 
ysis, that is, pattern matching on code. The language requires typechecking at run-time. 

More recently, Kameyama, Kiselyov, and Shan [26] have developed an extension of (a 
two-level version of) AO with control operators shift /reset [27], which enable an interesting 
pattern of code generation such as let-insertion [28] in the direct style. It will be interesting 
to investigate how this calculus extends to dynamic code execution (i.e., run). 

Modal Logics. As we discussed above, the D-fragment of modal logic, the 0~f ra § men t 
of LTL can be embedded into our logic, and the □O-fragment of LTL and our logic is 
incomparable. 

Our logic has three characteristic features: (1) it is multi-modal, (2) it has universal 
quantification over modalities and (3) modal operators are "relative" , meaning their seman- 
tics depends on the possible world at which they are interpreted. Most other logics do not 
have all of these features. 

Dynamic logic [29] is a multi- modal logic for reasoning about programs. Its modal 
operators are [a] for each program a, and [a]4> means "when a halts, 4> must stand after 
execution of a from the current state". Dynamic logic is multi-modal and its modal op- 
erators are "relative", but does not have quantification over programs. Therefore, there is 
no formula in Dynamic logic which would correspond to Va. f> a > a (f>. There is, however, a 
formula which is expressive in Dynamic logic but not in our logic: e.g., a Dynamic logic 
formula [a*]</>, which means intuitively 4> A [a](p A [a][a]c/> A . . . , cannot be expressed in our 
logic. 

Hybrid logic [30j is a modal logic with a new kind of atomic formula called nominals, 
each of which must be true exactly one state in any model (therefore, a nominal names a 
state). For each nominal i, @i is a modal operator and @i<p means stands at the state 
denoted by i" . Hybrid logic has a universal quantifier over nominals (and another binder 
J,: 4, x.cj) means "let x stand for the nominal for the current world, then (j) stands"). Hybrid 
logic differs from our logic, in that modal operators @i indicate worlds directly, hence are 
not "relative". In Hybrid logic, @j(j>, but >a>/30 and >p(j) are not equivalent in 

our logic. 

8. Conclusion and Future Work 

We have studied a logical aspect of environment classifiers by developing a simply typed 
multi-stage calculus A > with environment classifiers. This calculus corresponds to a multi- 
modal logic with quantifier over transitions by the Curry-Howard isomorphism and satisfies 
time-ordered normalization as well as basic properties such as subject reduction, confluence, 
and strong normalization. The classical proof system is sound and complete with respect 
to the Kripke semantics. Our calculus simplifies the previous calculus X a of environment 
classifiers by reducing run and some uses of CSP to an extension of another construct. We 
believe our work helps clarify the semantics of environment classifiers. 
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We have also studied evaluation of (a slight extension of) A^ and shown staged execution 
of a program is possible. Also, it is shown that erasure execution is possible for a certain 
subset, which is close to A 1 , the basis of MetaOCaml. 

From a theoretical perspective, it is interesting to study the semantics of the intuition- 
istic version of the logic, as mentioned earlier, and also the calculus corresponding to the 
classical version of the logic. It is known that the naive combination of staging constructs 
and control operators is problematic since bound variables in quotation may escape from 
its scope by a control operator. We expect that a logical analysis, like the one presented 
here and Reed and Pfenning [31], will help analyze the problem. 

From a practical perspective, one feature missing from A^ is CSP for all types. As 
argued in the introduction, we think typical use of CSP is rather limited and so easy to 
support. Type inference for full would not be possible for the same reason as X a |16j . 
However, it would be easy to applying type inference for \\ et [16] to a similar subset of A^. 
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Appendix A. Proof of Time Ordered Normalization (Theorem 13. lQf) 

First, we give an inductive characterization of the class of T-normal terms. A judgment 
of the form A \-^ T M, where A is a finite set of transition variables, means U M is T-normal 
under bound transition variables A." We distinguish transition variables bound outside of 
M since they are interpreted as the empty transition in annotated reduction. We also need 
an auxiliary judgment of the form A h y T M, read "M is T-neutral under bound transition 
variables A". We write T[A := e] for T[a± := e] . . . [a n := e], where A = {a±, . . . , a n }. The 
inference rules for these judgments are shown in Figure [TTJ 

We first prove that this proof system characterize T-normal forms as in Lemma IA.2| 
which is obtained as a special case of the lemma below. In what follows, FTV(T) denotes 
the set of transition variables in the path T. 

Lemma A.l. Let M be a typable term, T be a path, A be a finite set of transition variables. 
Then, the following two conditions are equivalent: 

(1) For any term N and path U, if M N, then U[A := e] ^ T[A := e\. 

(2) A h^ T M. 

Proof. We show (1) ==> (2) by induction on M. 

• Case M = x: A hJ| T M trivially holds. 

• Case M = > a M'\ We first show that M' N' implies U[A := e] ^ (a -1 T)[A := e] 

for any N' and U. Assume M' N' . Then, we have ► a M / -^4 ► a iV / . By (1), we have 
(aU)[A := e] £ T[A := e] and then U[A := e] £ (a _1 T)[A := e]. m By the induction 
hypothesis, we have A HJ. a ~ lT M', so A h^ T ► Q ,M'. 

• Case M = < a M': Similarly to the case above, we have A hJJ. aT M'. What remains 
to show is A h X7 aT M'. 

Since M is typable, a possible form of M' is a variable, an application, an instantiation, 
or ►„M" for some M" . In the first three cases, A h s/ aT M' is trivial. If M = *> a M", 

then we have M' — ) M". Then, by (1), we have a -1 [A := e] ^ T[A := e] and then 
e % (oT)[A := e}. By the first rule for • h v ( ) -, we have A h xj aT M' . 

• Case M = Aa.M': 

e ^ T[A :=e] M = x or M M x or M A 
A h \7 T M A h y T M 

A hil T M Ahf M Ah y T M A N 



Ahfi A h^ T Ax : t.M A V\y T M N 

A M A H T M A h x/ T M 

A hr T > a M A hr " T <* M 

A,ahf M a^FTV(T)uA AhfM A h \/ T M 
A H r Aa.M A h^ T M A 

Figure 11: T-neutral terms and T-normal terms. 
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Assume M' N' and a £ FTV(T) U A. Then, we have Aa.M' ^ Aa.N'. By 
(1), (U[a :=e])[A := e] ^ T[A := e]. We have (E7[a := e])[A := e] = C/[A,a:=e] and 
T[A,a:= e] = T[A := e] because a £ FTV(T). So, Z7[A,a := e] ^ T[A,a := e]. Then, we 
have A, a \-ij- T M' by the induction hypothesis. So, A \-ij. T Aa.M' as required. 
Other cases are similar. 

The proof of (2) (1) is by easy induction on the structure of the derivation A hJ| T M. 
We show the case M = < a M' as a representative case. 

Assume A hJ| T < a M'. By definition, we have A hJ| oT M' and A h \j aT M' . Assume 

< a M' —} N. There are two cases. 

• Case < a M' < a N' with M' -^4 iV': Because A h|T T M', by induction hypoth- 
esis we have (at/) [A := e] ^ (aT) [A := e}. This implies that J7[A := e] ^ T[A := e]. 

• Case M' = ► a Af" and < a > a M" M": Since A h \/ aT + a M", we have e £ 
(aT)[A := e]. This equation is equivalent to a" 1 [A := e] ^ T[A := e]. □ 

Lemma A. 2. Suppose M is typable. Then, M is T -normal if and only if % \-\\> T M. 

Proof. Immediate from Lemma lA.ll □ 

Now, we prove that reduction preserves T-normality and T-neutrality, as in Lemma fA.5} 
from which Theorem 13.101 immediately follows. Before that, we prove that (term and 
transition) substitution preserves T-normality and T-neutrality under a certain condition. 

Lemma A.3. Suppose F,x : a@B \- A M : r and T \- B N : a and B[A := e] ^ (AT) [A := e]. 
If A hij. T M and A hJJ. B ~ UT N, then A hJJ, T (M[x := N]). Similarly, if A h \/ T M, then 
A h y T {M[x := N]). 

Proof. By induction on M. We show only the main cases. 

• Case M = y: The subcase x ^ y is trivial. Assume x = y. Because T, x : a@B \- A x : 
t, it is the case that A = B. So B _1 AT = T and A hJJ. r N. Moreover, we have A h \/ T N 
because e ^ T[A := e], which follows from B[A := e] ^ (AT)[A := e] and B = A. 

• Case M = ► Q ,M / : From the type derivation of M, we have r = > a To and T,x : 
a@B h Aa M' : t . From A \-ty T ► a M / , we obtain A hJJ- a " lT M' . Moreover, B[A := e) ^ 
(AT) [A := e] = ((Aa)(a^ 1 T))[A := e] holds. By the induction hypothesis, we now have 
A H| Q ~ lT (M'[x := N]). Therefore A hJ| T (> a M')[x := N]. 

If A h v T ►a M', it is the case that e ^ T[A := e]. Therefore A h X7 T (+ a M')[x := N]. 

• Case M = Aa.M': Without loss of generality, we can assume that a £ FTV(A) U 
FTV(iV) U FTV(r) U FTV(T) U FTV(S) U A. From the type derivation of M, we have r = 
Va.To and T,x : a@B \- A M' : r . From A hJJ. T M, we also have A, a hJ| T M'. Because a 
is fresh and B[A := e] ^ (AT) [A := e], we have B[A,a:= e] ^ (AT) [A, a := e]. By the in- 
duction hypothesis, we have A, a hJ| T M'[x := N], which implies A hJ| T (Aa.M')[x := N}. 

If A h v T Aa.M', it is the case that e ^ T[A := e]. Therefore A h xj T (Aa.M')[x := N). 

□ 
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Lemma A.4. Suppose V h A M : r and a <£ FTV(AT). 

(1) // A, a Hj7 M, then A h^ T [ a:=s ] (M[a := B]); and 

(2) i/A,a h V T ^, ^en A h v T[a:=B] ( M [ a : = #])• 

Proof. We first show (2) by case analysis on the last rule used to derive A, a h y T M. 

• Case A, a h v T M with e ^ T[A, a :=g]: Because a (£ FTV(AT) and e < A, 
we have ,4 = A'a n and T = a'T' and a <£ FTV(A') U FTV(T') for some n > 0. 
Then, e £ T[A,a:=e] = (a" n T')[A, a := e] = T'[A:=e]. Therefore B~ n [A := e] £ 
(P~ n [A := e])(T'[A := e]) = T[a := B][A := e]. It follows that e ^ T[a := B] [A := e] be- 
cause B~ n [A := e] < e. So we have A h v T[a:=B] (M[a := B}). 

• The other case is easy. 

Then, (1) is proved by induction on the derivation of A, a M. We show only the main 
cases. 

• Case A, a hJ| T NqNi: Applying the induction hypothesis and (2) to, respectively, 



A, a 


n T n 




A h^ a:= 


:B] (N [a : 


= B]) 


A, a 


h V T N 


results in 


A h v T[Q 


■ =B] (N [a 


:=B}) 


A, a 


hij. T Ni 




A h^ a:= 


:B] (iVi[a : 


= B}). 



So we obtain A h^ a:=B ^ (A Ai)[a! := B]. 

• Case A, a hij. T <pM': It is the case that A, a h^ T M' and A, ah \/P T M'. Because 
r h A <p M' : r, we have A = A'/3 and T h A ' M' : > pT . Since a £ FTV(AT) = FTV (A' f3T), 
by applying the induction hypothesis and (2), we have A hi^^ T ^ ai=B ^ M'[a := B] and 
A h v (/3T)[Q:=B] M'[a := B\. Therefore A h^ a:=B ^ (►^ [a:=B] (M / [a := 5])). □ 

Lemma A.5. Suppose V \- A M : t and M N and U[A := e] ^ T[A := e]. If A h^ T M, 

then A hj| r N. Similarly, if Ah \J T M , then A h \/ T N . 

Proof. By induction on the derivation of M iV. 

• Case M = (Ax : a.P) Q — ^ P[x := Q] = A: It is the case that U = e and so 
e ^ T[A := e]. Assume A hJJ. T M. Then we have A hJJ. T P and A h xj T P and A h^ T Q. 
From e ^ T[A := e], it follows that A [A := e] ^ (AT) [A := e]. By Lemma El we have 
A hJj7 (P[x := Q]). Moreover, we have A h \/ T N because U[A := e] = e ^ T[A := e]. 

• Case M = (Aa.P) B P[a := J3] = A: We can assume without loss of generality 
that a <£ FTV(T) U FTV(A) U FTV(T) U A. Assume A hJ| T M. Then we have A, a hJ| T P. 
Because a £ FTV(AT), by applying Lemma [A. 41 we have A hJJ- r [ Q:=B l P[a := B]. Because 
a i FTV(T), T[a := B) = T. So we have A h^ T (P[a := B]). 

The proof of A h \/ T N is similar to the prior case since U = e. 

• Case M = + a P = N with P a — T P': Assume A hij. T ►« P. Then 
A hjT~ lr P. The typability of M implies the typability of P. We have (a~ 1 C/)[A := e] ^ 
(a~ 1 T)[A := e] because U[A := e] ^ T[A := e]. So, by the induction hypothesis, we obtain 
A hJJ, a ~ lT P'. Therefore A hJj7 A. 

Assume A h \y T >- a P. It must be the case that e ^ T[A := e]. Therefore A h y T ►a -P'- 
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• Case M = Aa.P Aa.P' = A with P P' and U = U'[a := e]: We can assume 
without loss of generality that a <£ FTV(r)UFTV(^)UFTV(T)uA. Moreover a (£ FTV(U) 
because U = U'[a := e]. It follows that 

U'[A,a:=e] = (U'[a := e})[A := e] 

(by the definition of U) 

= U[A:=e] 

(by assumption) 

£ T[A:=s] 

(because a <£ FTV(T)) 

= T[A,a:=e) 

Assume that A hJJ r M. Then A, a \~il T P. The typability of M implies the typability 
of P. So, by the induction hypothesis, we have A hJJ T P', which implies A hJJ r A. 

The proof of the remaining part is similar to other cases. □ 



Appendix B. List of Error-generating and Error-propagating Rules 



The List of Error-generating Rules. 

h £ MJJM' M ! Qg {+,-*,=} 

K MQN JJ err 

h £ MJJM' M'eZ \- e N^N' N'(£Z <>€{+,-,*,=} 

K MON JJ err 

h £ M JJ M' M' £ {true, false} 
h £ if M then Ai else A2 JJ. err h £ x JJ- err 

h £ M JJ M' M'^Xx: t.M" h £ M JJ M' M'^ Aa.M" 
P M A JJ err h £ M ^4 JJ err 

h £ M JJ M' M' j£ ►« M" 

h a <« Q M JJ. err h £ M JJ. err 



The List of Error-propagating Rules. 

h A AfJJerr Qg {+,-*,=} h A M JJ M' h A A JJ. err Q £{+,-*,=} 
h A MOA JJ err h A MOiV JJ err 

\- A M JJ. err h £ M JJ. true h £ Aj JJ. err 

h A if M then Ai else A 2 JJ. err h £ if M then Ai else A 2 JJ err 

h £ M JJ false h £ A 2 JJ err h A M JJ M' h A Aj JJ err A^e 
h £ if M then Ai else A 2 JJ err h A if M then Wy else A 2 JJ err 

h A M JJ M' h A A{ JJ Aj h A A 2 JJ err A^e h A M JJ err A^e 
\- A if M then A x else A 2 JJ err h A Ax : t.M JJ err 
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h A M JJ err h A M JJ M' h A iV JJ err h Ao M JJ err 
h A MJVJ| err h A M N JJ err h A ►« M JJ err 

h A M JJ. err h A M JJ. err h A M JJ, err 

h Ao «* a M JJ. err h A Aa.M JJ err h A M 73 JJ. err 

K Af [/ := fix / : r -> a.M] JJ. err h A M JJ err ,4 ^ e 

h £ fix / : r ->• a\M JJ err h A fix / : r ->• cr.M JJ err 



Appendix C. Proofs of Properties about mini-ML 

C.l. Proof of Theorem S3] (Type Soundness of MiniMI/"). 
Lemma C.l. IfT h aA v : r and v G V aA , then T~ a h A v : r. 

Proof. By induction on the structure of v. We show only cases for v = x and v = <pv' . 

• Case v = x: We have x : T@aA € T. Because x : t@A G r~ Q , T~ a \- A x : r. 

• Case v = <pv': We have A ^ e because <p v' E V aA . That means A = A'/3 for some 
A' and V \- aA 'P <pv' : r. So we have T h QA ' v 1 : t>gT. By the induction hypothesis, 
r -a h A' . There f ore) by (^), we have T~ a h A '? v' : r. 

□ 



Proof of Theorem \4-4\ The first part of the theorem 

If T is e-free and T h A M : t and h A M JJ R, then R = v and v € V A for 
some u and V \- A v : r. 

is proved by induction on the derivation of \- A M JJ R with case analysis on the form of M 
and the last rule used to derive \- A M JJ R. 

We only show representative cases here. 
• Case M = x 

— Subcase —a — (A ^ e) 

\- A x JJ x y ' 

(1) Immediate. 

— Subcase 



\- e x JJ err 

(1) We have x : r@e E V because T \- £ x : t but this contradicts the assumption that 
r is e-free. 
Case M = < a N 

" SubcaSe K* « a iVJJiV' 

(1) We have T h £ N : > a r because T K < a N. 

(2) By the induction hypothesis, T h £ N' : > a T and ► q, N' EV £ . 

(3) So we have r h a JV' : r and N' EV a . 

\- A N JJ N' 

- Subcase P^^ivT^^ (A ^ e) 

(1) We have r h A iV : Q r because r h A iV : r. 

(2) By the induction hypothesis, r h A TV' : t> a r and N' EV A . 

(3) Therefore, T h Ao ^ a JV' : r by and ^ Q TV' € T/ Aq . 
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h e N JJ- N' N' ± ► Q N" 

— Subcase — = r-— n 

h Q * a iV JJ. err 

(1) We have T \- £ N : > a r because rh £ ^ a JV:T. 

(2) By the induction hypothesis, T \- £ N' : > a r and N' G V £ , which is a contradiction. 

• Case M = Aa.N 

\- A N ij. N' 

— Subcase , a , — ,, , — 7 

h A Aa.N JJ. Aa.N' 

(1) We have r = Va.r' and T \- A N : t' for some r' and a <£ FTV(r) U FTV(A) 
because T \- A Aa.N : r. 

(2) By the induction hypothesis, T \- A N' : r' and N' G V A . 

(3) Therefore, T h A Aa.N' : r by (Gen) and AaN' G y A . 

• Case M = N B 

\- £ NtyAa.N' \- £ N'[a := S] JJ, M 
" Subcase h e JV5J;M 

(1) We have r = <r[a := B] and rp JV : Va.a for some a and a, because V \- £ N B : r. 

(2) By the induction hypothesis, V h e Aa.N' : Ma.a. Therefore V \- £ N' : a and 
a i FTV(r). 

(3) By Substitution Lemma (Lemma and a £ FTV(r), V \- £ N'[a := B] : r. 

(4) By the induction hypothesis, T \- £ M : r and M (zV £ . 

h A Ni^N' 
~ SubcaSe KW5 ( * ] 

(1) We have r = a[a := B] and T \- A N : \fa.a for some a and a, because V \- A NB : r. 

(2) By the induction hypothesis, T h A iV' : Va.cr and iV' G V A . 

(3) Therefore, r h A JV' 5 : r by (Ins) and N' B £ V A . 

\- £ N i}.N' N' + Aa.N" 

— Subcase , - Ar - 

h £ JV 5 JJ- err 

(1) We have r = a[a := B] and r h £ N : Va.cr for some a and a, because T h e iV-B : r. 

(2) By the induction hypothesis, r h e iV' : Va.cr and N' G V A , which is a contradiction. 

Now, we prove the second part. By the first part, T \- £ v : > a r and v G V s . Therefore 
v = and v' G V a . From the typing rules, we have T \- a v' : r. Then, we have 

T~ a \- £ v' :t by Lemma EU □ 



C.2. Proof of Theorem 14.51 We first prove type soundness for the new type system 
(Lemma IC8[) . Although the new type system identifies a subset of well-typed A 1 * terms, 
it has to be proved again, since we want to gurantee that the evaluation of a term typed 
under the new type system results in (if converges) a value that is also typed under it. We 
start with proving various substitution lemmas. 

Lemma C.2 (Term Substitution Preserves Typing). IfF,x : a @B;A \- A M : r and 
r ; A hf M : a, then T; A h A M[x := N] : r. 

Proof. Similar to the proof of Lemma 13.11 □ 

Next, we show that substitution for transition variables preserves various kinds of well- 
formedness and typing. 

Lemma C.3. If A, a@B h s A and A h s BC , then A [a := C] K A[a := C]. 
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Proof. By induction of the length of A. The base case is trivial because A\- s e for any A. 
So, we show the induction step. 

Let A = a\ . . . a n . Assume A, a@B \- s A. It is easy to see that A, a@B \- s ol\ . . . a n 
implies A, a@B \- s a\ . . . a n -\. Then A[a := C] \- s (a\ . . . a n -i)[a := C] by the induction 
hypothesis. We have a n @ai . . . a n -\ G (A, a@B) from the definition of A, a@B \- s A. The 
proof is divided into two cases. 

• Case a n ^ a: It is the case that a n @ai . . . a n -\ G A. The conclusion is trivial, 
because a n @(ai . . . a n -i)[a := C] G A[a := C\. 

• Case a n = a: It is the case that a± . . . a n _i = B. Let C = (3\ . . . f3 m . Because 
A \- s BC, we have 

A = {ai@e, a 2 @«i, • • • , a n -i@ai . . . a n _ 2 , pi@B, P 2 @B^, /3 m @5/3i . . . /3 m _i} C A. 

Let Ai = A - A . Note that a <£ {ax, ■ ■ ■ , Q^-i, Pi, ■ ■ ■ , /3 m ] = FTV(A ) and A \~ s BC. 
Therefore we have A [a := C] = A [a := C] U Ai[a := C] = A U A x [a := C}. Because 
(Ba)[a := C] = BC and A \~ s BC, we obtain A [a := C] h s A[a := C). □ 

Lemma C.4. If\- S A,a@B and A h s BC, then h s A [a := C}. 

Proof. Let /3@A G A [a := C]. We show A [a := C] h s A. 

There exists some A' such that (3@A' G A and A = A' [a := C] because f3@A G 
A[a:=C]. Since h s A, a@B, we have A,a@B h s A'. So by Lemma [OH we have 
A [a := C] \- s A' [a := C] as required. □ 

Lemma C.5. If A, a@B r and A h s BC, then A [a := C] h^ [a:=C,] r[a := C}. 
Proof. By induction on the structure of the type r. 

• Case r = int: Because A, a@B int, we have A, a@B \- s A. So by Lemma [C. 31 we 
obtain A [a := C] h s A[a := C]. Therefore we obtain A [a := C] \-^ a — c ^ j n t by applying 
(ST-Base). 

• Case r = O/jO": Because A,a@B \-f O/jcr, we have A,a@B a. By the induction 
hypothesis, we have A [a := C] l-^^"- - ^ a [ a := C]. Therefore by applying (ST-Code) 
as many times as needed, we obtain A [a := c] \-^ a -~ c ^ >M a .-(j\{a[a := C]). 

• Case r = Vp@A'.a: Because A,a@B V0@A'.a, we have A, a@B, /3@AA' 

a. By the induction hypothesis, we have A [a := C], j3@(AA')[a := C] h^ Q:=c1 a[a := C]. 
Hence by applying (ST-Univ), we obtain A [a := C] h^ [ " :=C] Vp@(A'[a := C]).(a[a := C}). 

□ 

Lemma C.6. If A, a@B h s T and A h s BC, then A[a := C] h s F[a := C]. 

Proof. Take x : t@A G T. By the well-formedness of T, we have A,a@B r. By 
Lemma lC.5\ we have A [a := C] \-^ a — c ^ r [ a := (j], as required. □ 
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Now we show the substitution lemma for transition variables. However, transition 
substitution does not preserve typing in general, and, even worse, transition substitution is 
undefined in some cases. This is because of the distinction between two kinds of applications 
M [a] and MA. For example, if we substitute A for a into M [a], the result is M [A], which 
is not a valid term. 

So, the substitution lemma we will prove is a restricted one. Transition substitution 
preserves typing in the following two cases: 

(1) Substitution of a single transition variable, M[a := j3] for any M. 

(2) Substitution of an arbitrary transition A at the initial stage in a value, v[a := A], where 
v is a value (an element of V £ ) and a@e. 

They are what we need to prove type soundness. 
Lemma C.7. 

(1) If T; A, a@B hf M : r and f3@B G A, then F[a := /9];A[a := p] h^ [a:=/3] M[a := 0\ : 
r[a := P]. 

(2) For any v G V A , ifT; A, a@e \~fv:r and A h s B, then T[a := B]; A[a := B] hf [Q;=i?1 
u[a := B] : r[a := B]. 

Proof. We can prove (1) by induction on the type derivation. 

• Case (S-Var): We have M = x and A, a@B \- s T, x : r@A By Lemma 1(161 we have 
A [a := /?] h s r[a := /3],x : r[a := /3]@A[a := /?]. By applying the (S-Var) rule, we obtain 
r[a := (3};A[a := 0] h^ a:=/3] x : r[a := /?]. 

• Case (S-Gen): We have M = A 7 .M' and r = V7@C.cr and F; A,a@B,-/@AC hf 
M' : a. By the induction hypothesis, we have T[a := /3);A[a := $\, j@(AC)[a := 0\ h^ [a:=/3] 
M'[a := /?] : a[a := /?] (note that a ^ 7). By applying the (S-Gen) rule, we obtain 

T[a := P];A[a := /3] hf [a:=/3] A 7 .(M'[a := /3]) : V 7 @(C[a := /3]).<r[a := 0\. 

• Case (S-Ins2): We have M = M' [71], and there is some a and 70 and C such 
that t = a [70 := 71] and T;A,a@B M' : V7o@C7.cr and ^©AC G A. We can assume 
without loss of generality 70 ^ FTV(C) U {a, /?}. By the induction hypothesis, we have 

r[a := P];A[a := /3] h^ [a:=/3] Af'[a := /?] : (V7 @C.cj)[a := /?]. Since (V7 @C.cr)[a := 0\ = 
V7o@(C[a := /9]).(<r[a := 0\) and 7i [q := f3]@(AC)[a := /?] G A [a := 0\, we can apply (S- 
INS2) to obtain T[a := P];A[a := P] hf [a:=,3] (Af'[ 7 i])[a := 0\ : <r[a := /3][ 7o := 71 [a := 
Because 70 ^ {a,/?}, we have 

a[ a := /3][ 7o := 71 [a := /3]] = ofyo := 7i][a := 

= r[a := /3]. 

The proof of (2) is the same as the proof of (1), except for the case (S-Ins2). We prove 
this case. Let v = v ' [71]. To prove this case, it is important to notice that 71 7= a. This fact 
can be shown by the following observation. Assume that 71 = a. Then, the stage A of v 
must be e because the stage of a is e, but v G V s contradicts the fact that v is a transition 
application. Therefore 71 7^ a. The rest of the proof is the same as (1). □ 

Then we show the preservation of h s by evaluation. 

Lemma C.8 (Type Soundness (2)). IfT;A M and P 4 M $ R, then R = v A and 
T; A \- A v A for some v A G V A . 
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Proof. Similar to the proof of Theorem 14.41 □ 

We also have the counterpart of Lemma IC.ll for the new type system. We define 
A- Q = {/3@73 | [3@aB G A}. 

Lemma C.9. IfT; A hf 4 M : r and M G V aA , then we have T~ a ; A~ a \-f M : t. 

Proof. Similar to the proof of Lemma IC.li □ 

Finally, we prove Theorem 23] via a more general property for which proof by induction 
works. 

Theorem C.10. IfT is e-free and V; A \- A M : r and n is the length of A, then 

(1) if \- A M JJ TV, then h™ b(M) JJ b(N); and 

(2) if h™ b(M) JJ N, there is some N' such that h A M JJ N' and N = b(TV'). 

Proof. By induction on the derivation of \- A M JJ N (for (1)) or h™ b(M) JJ N (for (2)) with 
case analysis on the last rule used in the derivation. Actually, the only interesting case is 
when M = M B and h A M B JJ N. 

• Proof of (1): Assume M = M B and \- A M B ij. N. The case A / e is easy. Assume 
A = e. So, the last derivation step for h e Mo B JJ N is of the form 

K M JJ. Aa.Mi K Ml [a := B] JJ iV 
P M 73 JJ. TV ' 
Since T; A hf. Mo B : t, we have T; A h| A7o : Va@e. f> a a and r = o~[a := 73] for some 
a. By Lemma Ell we have T; A \- £ s Aa.M 1 : Va@e. o a cr and Aa.Mi G V s . Therefore, 
T;A,a@e hf. Mi : > a a and Mi G V s . Because M 1 G F e , we have M 1 = ►„ M 2 with 
M 2 G V Q . So T; A, a@e h° M 2 : a. By LemmaEH r~°; (A, a@e)- a hf M 2 : a. Because 
(A,a@e)" Q = A" a , we have a £ FTV((A, a@e)" Q ), and therefore a $ FTV(M 2 ). So 
(► Q M 2 )[a := B] = ►#M 2 . Then, we know that the last derivation step must have a 
more specific shape: 

h £ Mp JJ Aq> a M 2 h £ »^M 2 JJiV 

K M 73 JJ N 

in 

By the induction hypothesis, we have h° b(M ) JJ A*> b(M 2 ) and h° ► . . . ► b(M 2 ) JJ 

m 

b(iV), where m is the length of B, because \){>-b M 2 ) = ► . . . ^b(M 2 ). Finally, we obtain 
h° b(M ) m JJ b(iV) from them. 

• Proof of (2): Assume M = M B and h£ b(M 73) JJ A b . The case n / is easy. We 
assume n = 0. Then, the last derivation step is of the form: 

m 

h° b(M ) JJ A ► M\ hg Mj JJ A b 

h° b(M ) m JJ N b 

where m is the length of B. Since T; A h 6 , Mo 73 : r, we have T; A h 2 . Mo : Va@e. > a <r for 
some a. 
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By the induction hypothesis, there is some Mi such that h e Mo Jj- M± and A ► M 2 = 
b(Mi). So, Ml = Aa. >-p M 2 for some a and ft and M 2 such that b(M 2 ) = M 2 b . Actually, 
a = (3 since Mq has the type Va@e.> Q o" and evaluation preserves types. By the same argu- 
ment as in the proof of (1), we have a £ FTV(Af 2 ). Therefore, (>- a M2)[a := B] = >b M 2 . 

m 

Because ^5^2) = ► Mg, by the induction hypothesis, we have h £ ►#M 2 4 N 
for some N with b(JV) = N b . □ 

Proof of Theorem \4-5\ Theorem 14.51 is a special case of Theorem IC. 101 □ 



Appendix D. Proof of Completeness (Theorem 15. 2b 

D.l. Completeness in the Quantifier- Free Setting. We first prove completeness in the 
quantifier-free setting: the set of propositions has no quantifiers and the deduction rules 
and semantics has no rule for quantifiers. 

Formally, the set $ J V of quantifier-free propositions is defined by the following grammar: 

Propositions <j) G ::= & I A | <f> — > <f> \ > a (ft ■ 

The natural deduction system consists of (Var), (Abs), (App), (►), (<) and (A-E). The 
Kripke semantics for this fragment is essentially the same as the full logic, but the propo- 
sition (j) in the satisfaction relation T,v,p;s lh 4> is restricted to be quantifier-free one. 

An assumption T is a (possibly infinite) set {<pi@Ai} where (pi € 3>7 V and A, G S*. We 
say an assumption T is consistent if T Y- e A. (When T is infinite, T \- A <f> means that there 
exists a finite assumption f C T such that V' \- A <f>.) We say V is maximally consistent 
when r is consistent and maximal (under the ordinary set inclusion ordering). 

Lemma D.l. For any consistent assumption V, there is a maximally consistent assumption 

v s.t. v d r. 

Proof. We apply Zorn's Lemma to the set = {A | V C A and A is consistent}. To apply 
Zorn's lemma, we prove that every totally ordered subsets S C B has its upper bound in 
O, by showing |J H S O. It is clear that T C (J H. 

We show that |J S is consistent. Assume S is inconsistent, i.e. |J S h e _L. Then there 
is a finite subset A C (JH such that A h £ _L. Let {(pi@Ai \ < i < n} = A. Because 
A C 1J S, for every 4>i@Ai G A, there is an assumption S, G S which satisfies ^@Aj G Hj. 
Because the number n of elements in A is finite and S is totally ordered, there is a maximal 
assumption Hj 3 Sj (0 < z < n). Therefore A C H» and S,- is inconsistent, and this causes 
a contradiction. □ 
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Let r be maximally consistent. We construct a transition system Tp and valuations pp 
and vp from it. The transition system^ Tp is (S*,S,{A | a G S}), where A A Aa, and 
valuation pp for transition variables is defined by pp(ot) = a. We define valuation vp for 
prepositional variables as vp(A,p) = 1 if and only if p@A G T. 

Lemma D.2. Tp, vp, pp',£ Ih i>a0 i/ on fy if 4>@A G T. 

Proof. Easy induction with respect to the proposition </>. □ 

Theorem D.3 (Completeness for the quantifier-free fragment). If Y II- <f> then V \- £ eft. 

Proof We prove by contraposition. Assume T F e <p. Then T, (eft — > _L)@e is consistent. 
By Lemma lD.ll there is a maximally consistent assumption r' ~D T U {((f) — > _L)@e}. By 
Lemma \D.2\ Tpi , vpi , ppi ; e lh T and Tpi , vpi , ppi ; e lh — > _L. So, 7r' j wr' > Pr' ; £ ^ and, 
therefore, V ¥ cj). □ 



D.2. Completeness of the Full Logic. We prove completeness for the full logic. The 
way to prove completeness is similar to that for first-order predicate logic. 

We abbreviate <f> — > _L to (-></>) — > V t° <^ V V*) ~~'( < / ) ~~ ^ -, ?/0 to (j) At/) and -iVa.-xj) to 
3a. 0. The deduction rules for these connectives can be given as in ordinary classical logic, 
e.g. as follows: 

r h A 6 r h A v , x 



r h (J) A ip 

r h A 3a.<^> r, <£@,4 h A ^ a £ FTV(r, v>@^4) 



(3-E) . 



r h A v 

We abbreviate Vai Va2 . . . Va n to \/ n acj). We also write <fi as V°a^>. We say a proposition 
is in prenex normal form when it has the form 

V™°a 3/3 1 V™ 1 a 1 . . . 3/3 m V^+ 1 a m+1 ^ 

and t/j has no quantifier. It is easy to see that for any proposition cf) there is an equivalent 
proposition eft' (i.e., h e f> (j) 1 ) which is in prenex normal form. Therefore we assume 
without loss of generality that all propositions in an assumption are in prenex normal form. 

We construct a quantifier- free assumption A(r) from an assumption T with quantifiers. 
Assume that all binding transition variables are different from other binding variables and 
free variables in V. 

First we construct "Herbrand universe" from T. Herbrand universe is a term algebra, 
which is freely generated algebra from a signature. Let So be the set of free transition 
variables in T and Si be the set of binding transition variables in T. The set Sp is defined 
as follows: 

Sr = {(&, SfcxV) I y n °a 3f3 1 . . . 3/3 fe . . . ^a m ^@A G T] 
We regard dom(Sr) as the set of pairs of function symbols and its arities. If there is no 
constant (i.e., arity function) in Sp and So = Si = 0, then we add a constant (c, 0) to Sp. 
If there is no function symbol whose arity is not 0, then we add a function symbol (/, 1) to 
Sp. We define the set Hp as the least set which satisfies the following condition: 
• if (f3,n) G Sp and aj G Hp U Sq U Si(l < i < n), then /3(ai, . . . ,a n ) G Hp 



^If we want to prove completeness of the logic in Sec. 15.31 we define T as ({A £ S* | _L@A ^ 
T}, E, {A | a € £}), where A A Aa if ±@Aa <£. Y and otherwise undefined. 
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Second we regard S as the "Herbrand universe" by following observation. Because S 
is countably infinite and So and Si is countable, we assume without loss of generality that 
S\(So U Si) is countably infinite. It is easy to see that H? is countably infinite. Therefore 
there is an bijection Hp — > (S\(So U Si)). By using this bijection, we regard any element 
in Hy as an element in S. So So U Si U Hp = S and So PI Hp = Si n H-p = 0. 

Then we define A(T) as follows: 

A(r) = {ip [a ,/3i,ai,/3 2 ,...am :=7o,/M7o), Ti.A^To, Jx), ■ ■ ■ ,7m]@A 
I V no a 3/3i . . . V n ™a m iP@A G T, 7ii G S} 

Lemma D.4. IfT!e^ e _L, then A(T) F £ _L in quantifier-free logic. 

Proof. We prove this lemma by contraposition. 

Assume that A(T) h e _L. Then there is a finite subset {(pi@Ai | < i < n} C A 
such that {<j)i@Ai | < i < n} h e _L. From the construction of A(T), for every fa, 
there are Oi and 7^ G S such that 6i@A G T and Q{ = V n °ao3/3i . . . y nm a m ipi and fa = 
ipi[ao,Pi,cii,/32, ...a m := 70, /Si (70), 7i> ^2(70,71)) • • • .7m]- Then we can get {6i@Ai \ < 
i < 11} \- £ _L by using (Ins) and (3-E) in an appropriate order. Therefore r h E 1. 

Lemma D.5. IfT,v,p;e lh A(T), then T,v,p;e lh F. 

Proof. Let V n °ao3/3i . . . \/ nm a m ijj@A G T. We can get the following proposition by easy 
induction on the number of existential quantifiers. 

for all 7ij G ST,v,p;e lh 3f3 k M nk a k . . .\/ Um a n ifj[a , fix, . . .,a k := 70, /Si (70), ■ ■ • ,7ft] 
This lemma is an easy consequence of this proposition. □ 



Proof of Theorem \5.2\ We prove by contraposition. Assume T Y- e <j>. Then T, —«j)@e F e _L. 
By Lemma lD.41 A(r U {—>^)@e}) is a consistent assumption in the quantifier-free fragment. 
Therefore, from completeness of the quantifier-free fragment, there is a model such that 
T,v,p;e lh A(ru {^(f>@e}). By Lemma EH T,v,p;e lh T and T,v,p;e lh ->fa Therefore 
T,v,p;e¥ fa So T¥ <f>. ' □ 
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